For Safety Operations Centre (SOC) groups, what’s the most important ache level after we run into an actual assault? That’s proper — not having sufficient information. We all the time want extra proof to research the incident, and when crucial, to hold out forensics and hint it again to the supply.
Take the SOC at Cisco Reside Melbourne 2025 for example. The platform was already near perfection. It introduced collectively Firewall, Safe Endpoint, XDR NVM (Community Visibility Module), Safe Malware Analytics, Safe Community Analytics, Safe Entry, Splunk Enterprise Safety, Splunk Assault Analyzer, and Endace.
All of those safety merchandise contribute totally different safety occasions. Cisco XDR then correlates these occasions, hyperlinks belongings and observables, and generates incidents. From there, our Tier-1 analysts can begin investigating immediately.
You’ll discover that these safety occasions already comprise a whole lot of context, which makes investigations simpler. However in a short time, you’ll understand that once you dig deeper, a few of the most uncooked, unique information remains to be lacking.
That is the place the brand new Cisco XDR Forensics actually exhibits its distinctive energy, offering us with wealthy, interactive methods to entry and collect proof.
Command and Management (C2)
A hacker used an encrypted C2 channel to take management of a consumer’s machine, then leveraged PowerShell to obtain a file containing malicious code. This file had been ready specifically, its title and sort have been modified, and its contents have been obfuscated and reworked, permitting the hacker to simply evade EDR detection and efficiently full the obtain.
Throughout this course of, XDR, via correlation, detected that somebody had used PowerShell to execute the file obtain. This triggered the creation of an incident. The incident included asset attributes, the PowerShell instructions executed by the hacker, and the title and path of the downloaded file.
So at this level, what would you assume must be achieved subsequent? That’s proper — you’d wish to know precisely what file the hacker downloaded, what’s the content material of it, and the way harmful it’s. The safety merchandise we’re used to simply can’t give us this information. Even packet captures are powerless in opposition to an encrypted C&C channel.
That is precisely when Cisco XDR Forensics steps in. Let’s check out the precise investigation course of and what it reveals.
First, XDR detected that the hacker, on a laptop computer, used PowerShell to obtain a file named ReadMe.txt from GitHub. At first look, most individuals with out safety expertise wouldn’t assume a lot of such a file title. However this file triggered an incident in XDR: Suspicious PowerShell exercise on PowerShell.
We may see the PowerShell command used for the obtain, the URL, the file title, and the trail the place it was saved on this case: C:UsersPublicReadMe.txt.
Subsequent, we went to the Proof web page of this incident and ran Forensics Acquisition on the asset. We may select from totally different templates, and the proof assortment job started executing.
As soon as the acquisition was full, we clicked via to the Forensics Investigation Dashboard. There, we may see that it had collected 168.8K of proofleading to 689 findingstogether with 30 Excessive and 7 Medium severity gadgets.
Subsequent, we looked for the ReadMe.txt file and located all associated entries. We found the place it was saved and that it was recognized as a Base64-encoded filewhich allowed us to verify each the file sort and its location.
Then, we ran Launch Distant Shell in Forensics to run interACT. This allowed us to go browsing to the machine remotely and examine the precise contents of the file.
Lastly, we positioned the ReadMe.txt file and checked its contents. We discovered that it had been Base64-encoded. After decoding it, we found the unique content material was a PowerShell script used to name and execute the EDR Killer malware.
At this level, we gathered all of the proof. All through the method, Cisco XDR Forensics performed an important function in proof assortment and supplied a user-friendly, interactive interface, considerably enhancing the effectivity of SOC investigations.
We sit up for utilizing XDR Forensics in additional conditions the place the SOC staff protects endpoints. This was a robust functionality, and I used to be promoted to Tier 2 Analyst within the SOC throughout my second week within the SOC!
Take a look at the opposite blogs by my colleagues within the Cisco Reside Melbourne 2026 SOC.
We’d love to listen to what you assume! Ask a query and keep linked with Cisco Safety on social media.
Cisco Safety Social Media
