Cisco NVM - Suspicious Network Connection Initiated via MsXsl

Original Source: [splunk source]
Name:Cisco NVM - Suspicious Network Connection Initiated via MsXsl
id:1cbcf75f-0e45-4f29-8c1b-7fcd7e55cc55
version:1
date:2025-07-03
author:Nasreddine Bencherchali, Splunk
status:production
type:Anomaly
Description:This analytic identifies the use of `msxsl.exe` initiating a network connection to a non-private IP address. Although `msxsl.exe` is a legitimate Microsoft utility used to apply XSLT transformations, adversaries can abuse it to execute arbitrary code or load external resources in an evasive manner. This detection leverages Cisco NVM telemetry to identify potentially malicious use of `msxsl.exe` making network connections that may indicate command and control (C2) or data exfiltration activity.
Data_source:
  • -Cisco Network Visibility Module Flow Data
search:`cisco_network_visibility_module_flowdata`
process_name = "msxsl.exe"
NOT dest IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___suspicious_network_connection_initiated_via_msxsl_filter`


how_to_implement:This search requires Network Visibility Module logs, which includes the flow data sourcetype. This search uses an input macro named `cisco_network_visibility_module_flowdata`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Cisco Network Visibility Module logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
known_false_positives:False positives may occur in development or administrative environments where msxsl.exe is used for legitimate XML transformations. However, its use is uncommon in standard user activity and should be reviewed in most environments.
References:
  -https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
 drilldown_searches:
name:'View the detection results for - "$src$"'
search:'%original_detection_search% | search src = "$src$"'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
name:'View risk events for the last 7 days for - "$src$"'
search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Cisco Network Visibility Module Analytics'
  asset_type:Endpoint
  mitre_attack_id:
    - 'T1220'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
  security_domain:endpoint

tests:
name:'True Positive Test - Cisco NVM'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
  source: not_applicable
  sourcetype: cisco:nvm:flowdata
manual_test:None

Related Analytic Stories


Cisco Network Visibility Module Analytics

© 2024 DetectionCode Website. All Rights Reserved.