At the Cisco Live San Diego 2025 conference Security Operations Center (SOC), the SPAN (Switched Port Analyzer) traffic that we receive from the NOC is nearly 80% encrypted traffic. This means if we only investigate unencrypted traffic, we are missing most of the packets flying across the network. The Encrypted Visibility Engine (EVE) is a feature in Cisco Secure Firewall that provides visibility into encrypted TLS (HTTPS) traffic without needing to decrypt it. It leverages TLS fingerprinting to detect and classify applications, malware, and other behaviors in encrypted flows while preserving privacy.
We observed a machine with multiple alerts for malware Upatre, a malware variant often used to deliver other payloads. The Upatre detections are associated with requests to pcapp[.]store, a site that can serve legitimate software download functions, but which is also associated with adware and malware payload downloads. While investigating we also observed regular RDP connections to an Italian IP belonging to Expereo, a data management service.
Investigation Steps
- Network Context — The investigation begins in the Firewall Management Center (FMC) unified event viewer. Adding a column for EVE detections and filtering for “High” and “Very High” EVE confidence scores.
- Pivot to Fingerprint Analysis and Secure Malware Analytics Indicator — Pivoting from the FMC to the TLS fingerprint analysis shows the details of what the fingerprint is looking for and the relevance of Upatre. Selecting ‘Malware Upatre’ opens the indicator in Secure Malware Analytics (SMA – formerly Threat Grid) to further understand the behaviors of malware Upatre.
- Pcap Deep Dive — Pivoting to Endace to pull a pcap (packet capture) of traffic in Wireshark reveals the server SNI (Server Name Indication) field of pcapp[.]store. The client hello TLS cipher suite offering also validates what was in the Fingerprint details.
- Using XDR Investigate — We then launched an investigation of pcapp[.]store in XDR to investigate and saw that SMA shows multiple malicious files connecting to pcapp[.]store. We also saw multiple DNS (Domain Name Service) lookups for that domain from the Cisco Live wireless network.
- Using Splunk to Search for Additional Connections — Using Splunk to find additional connection to pcapp[.]store revealed that there were 1,200 other connections to the same URL, but only this host triggered the EVE detection for the fingerprint.
- Using Splunk to Search for Additional Connections — Using Splunk to find additional connection to pcapp[.]store revealed that there were 1,200 other connections to the same URL, but only this host triggered the EVE detection for the fingerprint.
Takeaway and Response
Using Splunk to search the DHCP data, the host name indicated that the client was a Windows machine on the general Wi-Fi. We escalated an incident report to the NOC. Potentially the device could have been located using Wi-Fi access point data. Also, with endpoint telemetry we could truly validate a malware Upatre infection.
This investigation shows just how powerful network telemetry can be in an investigation, especially when the devices on the conference Wi-Fi network are unmanaged by the SOC.
Want to learn more about what we saw at Cisco Live San Diego 2025? Check out our main blog post — Cisco Live San Diego 2025 SOC — and the rest of the Cisco Live SOC content.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Share:
