Detection rules › Splunk
Cisco Secure Firewall - File Download Over Uncommon Port
The following analytic detects file transfers flagged as malware that occurred over non-standard ports (other than 80 and 443). Adversaries may attempt to bypass protocol-based detection or use alternate ports to blend in with other traffic. This analytic identifies these non-conventional flows and surfaces potential evasion techniques. If confirmed malicious this indicate potential malware delivery or other nefarious activity.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1105 Ingress Tool Transfer, T1571 Non-Standard Port |
Rule body splunk
name: Cisco Secure Firewall - File Download Over Uncommon Port
id: f26445a8-a6a2-4855-bec0-0c39e52e5b8f
version: 8
creation_date: '2025-04-09'
modification_date: '2026-05-13'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
description: |
The following analytic detects file transfers flagged as malware that occurred over non-standard ports (other than 80 and 443). Adversaries may attempt to bypass protocol-based detection or use alternate ports to blend in with other traffic. This analytic identifies these non-conventional flows and surfaces potential evasion techniques. If confirmed malicious this indicate potential malware delivery or other nefarious activity.
data_source:
- Cisco Secure Firewall Threat Defense File Event
search: |
`cisco_secure_firewall` EventType=FileEvent FileDirection="Download" NOT dest_port IN (80, 443)
| lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
| stats count min(_time) as firstTime max(_time) as lastTime
values(file_name) as file_name
values(uri) as uri
values(ClientApplication) as ClientApplication
values(file_hash) as file_hash
values(SHA_Disposition) as SHA_Disposition
by FileDirection FileType app ThreatName dest_port Description src dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src dest dest_port FileDirection FileType Description uri ClientApplication file_name file_hash SHA_Disposition ThreatName
| `cisco_secure_firewall___file_download_over_uncommon_port_filter`
how_to_implement: |
This search requires Cisco Secure Firewall Threat Defense Logs, which
includes the FileEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
The malware & file access policy must also enable logging.
known_false_positives: Some legitimate applications may download files over custom ports (e.g., CDN mirrors, APIs). Apply additional filters accordingly.
references:
- https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf
drilldown_searches:
- name: View the detection results for - "$src$"
search: '%original_detection_search% | search src = "$src$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: src
type: system
score: 20
message: The host $src$ downloaded a file $file_name$ of type $FileType$ from $dest$ over the uncommon port $dest_port$
threat_objects:
- field: file_hash
type: file_hash
- field: file_name
type: file_name
analytic_story:
- Cisco Secure Firewall Threat Defense Analytics
asset_type: Endpoint
mitre_attack_id:
- T1105
- T1571
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: network
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/file_event/file_events.log
source: not_applicable
sourcetype: cisco:sfw:estreamer
test_type: unit
Stages and Predicates
Stage 1: search
`cisco_secure_firewall` EventType=FileEvent FileDirection="Download" NOT dest_port IN (80, 443)
Stage 2: lookup
| lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
Stage 3: stats
| stats count min(_time) as firstTime max(_time) as lastTime
values(file_name) as file_name
values(uri) as uri
values(ClientApplication) as ClientApplication
values(file_hash) as file_hash
values(SHA_Disposition) as SHA_Disposition
by FileDirection FileType app ThreatName dest_port Description src dest
Stage 4: search
| `security_content_ctime(firstTime)`
Stage 5: search
| `security_content_ctime(lastTime)`
Stage 6: table
| table firstTime lastTime src dest dest_port FileDirection FileType Description uri ClientApplication file_name file_hash SHA_Disposition ThreatName
Stage 7: search
| `cisco_secure_firewall___file_download_over_uncommon_port_filter`
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
dest_port | in | 443, 80 |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventType | eq |
|
FileDirection | eq |
|
sourcetype | eq |
|