GitHub Repo

Analytics Story: Cisco Network Visibility Module Analytics

Updated Date: 2026-05-13 ID: cf276930-de9f-484c-9d92-f358534890a1 Author: Nasreddine Bencherchali, Splunk Product: Splunk Enterprise Security

Description

This analytic story provides a suite of detections built to analyze endpoint-based network telemetry captured by the Cisco Network Visibility Module (NVM). It focuses on identifying suspicious and potentially malicious activity such as process injection, unauthorized downloads, network connections by non-network-aware processes, and potential command-and-control (C2) behavior, etc. Leveraging the rich metadata from NVM, including process names, command-line arguments, user context, and module information, these detections provide high-fidelity insights into host behavior and outbound network activity.

Why it matters

Cisco Network Visibility Module (NVM), part of Cisco Secure Client (formerly AnyConnect), collects granular telemetry directly from endpoints to provide enhanced visibility into process-level network activity. This includes detailed fields such as process names, parent-child relationships, command-line arguments, loaded modules, user accounts, and DNS destinations. This analytic story leverages that context to detect threats across various tactics and techniques including Command and Control, Execution, Defense Evasion, and Credential Access. It is particularly useful for detecting living-off-the-land (LOLBins) behavior, abuse of legitimate system processes, or exfiltration attempts from otherwise trusted binaries.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
WMIC XSL Execution via URL XSL Script Processing TTP
Attacker Tools On Endpoint OS Credential Dumping, Match Legitimate Resource Name or Location, Active Scanning TTP
Windows File Download Via PowerShell PowerShell, Ingress Tool Transfer Anomaly
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Windows PowerShell FakeCAPTCHA Clipboard Execution PowerShell, Windows Command Shell, Malicious Link TTP
Windows InstallUtil URL in Command Line InstallUtil TTP
Windows Curl Upload to Remote Destination Ingress Tool Transfer TTP
Cisco NVM - Suspicious File Download via Headless Browser Command and Scripting Interpreter, Ingress Tool Transfer TTP
Cisco NVM - Outbound Connection to Suspicious Port Non-Standard Port Anomaly
Cisco NVM - Susp Script From Archive Triggering Network Activity Visual Basic, Malicious File Anomaly
Windows File Download Via CertUtil Ingress Tool Transfer TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Cisco NVM - Rclone Execution With Network Activity Exfiltration to Cloud Storage Anomaly
Cisco NVM - Suspicious Network Connection From Process With No Args Process Injection, System Binary Proxy Execution Anomaly
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download Mshta Anomaly
Cisco NVM - Webserver Download From File Sharing Website Ingress Tool Transfer, Exploit Public-Facing Application TTP
Windows HTTP Network Communication From MSIExec Msiexec Anomaly
Detect MSHTA Url in Command Line Mshta TTP
Cisco NVM - Installation of Typosquatted Python Package Command and Scripting Interpreter TTP
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI Visual Basic, Mshta Anomaly
Cisco NVM - Suspicious Network Connection to IP Lookup Service API System Network Configuration Discovery, IP Addresses Anomaly
Windows MSIExec Remote Download Msiexec Anomaly
Cisco NVM - Suspicious Network Connection Initiated via MsXsl XSL Script Processing Anomaly
Cisco NVM - Non-Network Binary Making Network Connection Masquerading, Process Injection Anomaly
Cisco NVM - Suspicious Download From File Sharing Website BITS Jobs Anomaly
Cisco NVM - Curl Execution With Insecure Flags BITS Jobs Anomaly
Detect HTML Help URL in Command Line Compiled HTML File TTP
Windows InstallUtil Remote Network Connection InstallUtil Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 2