Cisco NVM - Webserver Download From File Sharing Website

This analytic detects unexpected outbound network connections initiated by known webserver processes such as `httpd.exe`, `nginx.exe`, or `tomcat.exe` to common file sharing or public content hosting services like GitHub, Discord CDN, Transfer.sh, or Pastebin. Webservers are rarely expected to perform outbound downloads, especially to dynamic or anonymous file hosting domains. This behavior is often associated with server compromise, where an attacker uses a reverse shell, webshell, or injected task to fetch malware or tools post-exploitation. The detection leverages Cisco Network Visibility Module flow data, enriched with process context, to identify this highly suspicious behavior.