splApache-2.0from splunk/security_content

Cisco Secure Firewall - Binary File Type Download

The following analytic detects file downloads involving executable, archive, or scripting-related file types that are commonly used in malware delivery. These file types include formats like PE executables, shell scripts, autorun files, installers, and known testing samples such as EICAR. This detection leverages Cisco Secure Firewall Threat Defense logs and enriches the results using a filetype lookup to provide context. If confirmed malicious, these downloads could indicate the initial infection vector, malware staging, or scripting abuse.

Quality

FP risk

—

Forks

Views

Rule source🔒 locked

title: ████████████████████████
id: ████████-████-████-████-████████████
status: ██████████
description: ██████████████████████████████████████████
             ████████████████████████████████████████
author: ████████
tags:
  - attack.████
  - attack.████
logsource:
  product: ████████
  category: ████████████
detection:
  selection:
    Image|endswith: '████████████████'
    CommandLine|contains:
      - '████████████████████████'
      - '████████████████████████'
      - '██████████████████'
  condition: selection
level: ████████
falsepositives:
  - ████████████████████

🔒

Sign in to view the rule source

Free accounts can view the source for the top-ranked rules. Create one in seconds — no credit card required.