Name:Cisco Secure Firewall - File Download Over Uncommon Port id:f26445a8-a6a2-4855-bec0-0c39e52e5b8f version:1 date:2025-04-07 author:Nasreddine Bencherchali, Splunk status:production type:Anomaly Description:The following analytic detects file transfers flagged as malware that occurred over non-standard ports (other than 80 and 443). Adversaries may attempt to bypass protocol-based detection or use alternate ports to blend in with other traffic. This analytic identifies these non-conventional flows and surfaces potential evasion techniques. If confirmed malicious this indicate potential malware delivery or other nefarious activity.
Data_source:
-Cisco Secure Firewall Threat Defense File Event
search:`cisco_secure_firewall` EventType=FileEvent FileDirection="Download" NOT dest_port IN (80, 443) | lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description | stats count min(_time) as firstTime max(_time) as lastTime values(file_name) as file_name values(uri) as uri values(ClientApplication) as ClientApplication values(file_hash) as file_hash values(SHA_Disposition) as SHA_Disposition by FileDirection FileType app ThreatName dest_port Description src_ip dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime src_ip dest dest_port FileDirection FileType Description uri ClientApplication file_name file_hash SHA_Disposition ThreatName | `cisco_secure_firewall___file_download_over_uncommon_port_filter`
how_to_implement:This search requires Cisco Secure Firewall Threat Defense Logs, which
includes the FileEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
The malware & file access policy must also enable logging.
known_false_positives:Some legitimate applications may download files over custom ports (e.g., CDN mirrors, APIs). Apply additional filters accordingly. References: -https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf drilldown_searches: name:'View the detection results for - "$src_ip$"' search:'%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_ip$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Cisco Secure Firewall Threat Defense Analytics' asset_type:Endpoint mitre_attack_id: - 'T1105' - 'T1571' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' security_domain:endpoint
