{
	"id": "dae5cb7a-861d-4f16-a9ef-b8cc30ed3cc3",
	"created_at": "2026-04-29T02:20:33.198717Z",
	"updated_at": "2026-04-29T08:22:12.651241Z",
	"deleted_at": null,
	"sha1_hash": "ace2c3b4db7c78540bd6338865791d47d8db6fe9",
	"title": "Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "2025-08-18T13:28:00Z",
	"file_modification_date": "2025-08-18T06:29:31Z",
	"file_size": 8426522,
	"plain_text": "Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\nFirst Published: 2022-05-06\r\nLast Modified: 2024-03-05\r\nAmericas Headquarters\r\nCisco Systems, Inc.\r\n170 West Tasman Drive\r\nSan Jose, CA 95134-1706\r\nUSA\r\nhttp://www.cisco.com\r\nTel: 408 526-4000\r\n800 553-NETS (6387)\r\nFax: 408 527-0883\n\n© 2022 –2024 Cisco Systems, Inc. All rights reserved.\n\nCONTENTS\r\nCHAPTER 1 About this documentation 1\r\nDocument purpose 1\r\nWarnings and notices 1\r\nCHAPTER 2 Overview 3\r\nGeneral principles 3\r\nDesign considerations 4\r\nBasic configuration workflow 4\r\nCHAPTER 3 Sensor configuration 5\r\nConfigure Active Discovery on a Cisco switch or router 5\r\nConfigure Active Discovery on a Cisco IC3000 9\r\nCHAPTER 4 Policies configuration 13\r\nCreate a policy 13\r\nSet Active Discovery Broadcast 14\r\nSet Active Discovery Unicast 16\r\nSet Active Discovery Unicast BACnet 16\r\nSet Active Discovery Unicast DNP3 17\r\nSet Active Discovery Unicast Ethernet/IP 18\r\nSet Active Discovery Unicast Melsoft 19\r\nSet Active Discovery Unicast Modbus 20\r\nSet Active Discovery Unicast OMRON 21\r\nSet Active Discovery Unicast SiemensS7 21\r\nSet Active Discovery Unicast SiemensS7plus 22\r\nSet Active Discovery Unicast SNMPv2c 23\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\niii\n\nSet Active Discovery Unicast SNMPv3 24\r\nSet Active Discovery Unicast WMI 26\r\nModify a policy 27\r\nCHAPTER 5 Profiles configuration 31\r\nSet an Active Discovery profile 31\r\nCHAPTER 6 Launch Active Discovery 33\r\nLaunch Active Discovery 33\r\nCHAPTER 7 Annex: Active Discovery protocols 37\r\nBACnet 38\r\nDNP3 39\r\nEtherNet/IP 39\r\nEtherNet/IP Broadcast or Unicast 40\r\nEthernet/IP backplane discovery 42\r\nMelsoft 44\r\nModbus 45\r\nOMRON 46\r\nProfinet Multicast 46\r\nS7 Broadcast 47\r\nS7 Unicast 48\r\nS7Plus 49\r\nICMPv6 Multicast 50\r\nSNMP Unicast 50\r\nAD SNMP with Schneider PLC 51\r\nAD SNMP with Siemens PLC 52\r\nAD SNMP with Rockwell PLC 53\r\nAD SNMP with Moxa switches 53\r\nAD SNMP with Siemens Switches 54\r\nAD SNMP with Hirschmann hardware 55\r\nAD SNMP with Cisco hardware 56\r\nAD SNMP with Microsoft Windows OS 57\r\nWMI 58\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\niv\r\nContents\n\nCHAPTER 1\r\nAbout this documentation\r\n• Document purpose, on page 1\r\n• Warnings and notices, on page 1\r\nDocument purpose\r\nThis configuration guide explains how to configure Active Discovery in Cisco Cyber Vision and gives details\r\non expected results.\r\nThis documentation is applicable to system version 4.3.0.\r\nActive Discovery is available on the following devices:\r\n• Cisco Catalyst IE3300 10G Rugged Series Switch\r\n• Cisco Catalyst IE3400 Rugged Series Switch\r\n• Cisco Catalyst IE9300 Rugged Series Switch\r\n• Cisco Catalyst 9300 Series Switch\r\n• Cisco Catalyst 9400 Series Switch\r\n• Cisco IC3000 Industrial Compute Gateway\r\n• Cisco IR8340 Integrated Services Router Rugged\r\nWarnings and notices\r\nThis manual contains notices you have to observe to ensure your personal safety as well as to prevent damage\r\nto property.\r\nThe notices referring to your personal safety and to your property damage are highlighted in the manual by\r\na safety alert symbol described below. These notices are graded according to the degree of danger.\r\nIndicates risks that involve industrial network safety or production failure that could possibly result in personal\r\ninjury or severe property damage if proper precautions are not taken.\r\nWarning\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n1\n\nIndicatesrisksthat could involve property or equipment damage and minor personal injury if proper precautions\r\nare not taken.\r\nImportant\r\nIndicates important information on the product described in the documentation to which attention should be\r\npaid.\r\nNote\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n2\r\nAbout this documentation\r\nWarnings and notices\n\nCHAPTER 2\r\nOverview\r\n• General principles, on page 3\r\n• Design considerations, on page 4\r\n• Basic configuration workflow, on page 4\r\nGeneral principles\r\nActive Discovery allows the sensor to send packets to the network to discover previously unseen devices and\r\ngather additional properties for known devices.\r\nThere are two different types of Active Discovery operations:\r\n• Broadcast\r\nThe sensor sends Broadcast packets targeting all the devices in the subnet. Devices that support the\r\nprotocol will give a response back and appear in Cisco Cyber Vision.\r\n• Unicast\r\nThe sensor sends Unicast packets to known components and analyses the responses received.\r\nThe protocols supported for Active Discovery operations are:\r\n• Broadcast:\r\n• EtherNet/IP\r\n• Profinet\r\n• SiemensS7\r\n• ICMPv6\r\n• Unicast:\r\n• EtherNet/IP\r\n• SiemensS7\r\n• SNMPv2c\r\n• SNMPv3\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n3\n\n• WMI\r\nFor more information about discoverable properties, refer to Annex: Active Discovery protocols, on page 37.\r\nDesign considerations\r\nSeveral requirements must be met when deploying and configuring Active Discovery on a sensor:\r\n• The sensor must have access to the required subnet:\r\n• For Broadcast discovery, the target subnet/VLAN must be directly accessible from the sensor,\r\nmeaning the sensor must have an IP address set in this subnet.\r\nOn IOx sensors, the AppGigabit interface must be in trunk mode, and the VLAN must be allowed\r\non this port.\r\nOn the Cisco IC3000, one of the interfaces must be connected to a port on the VLAN, with no span\r\nconfigured on this port.\r\n• For Unicast discovery, the target subnet/VLAN must be either directly accessible from the sensor,\r\nor the sensor must have the required gateway or route to reach the targeted devices.\r\n• The list of nodes targeted in Unicast discovery comes from the device list of the preset which launch the\r\ndiscovery. A preset configured with sensors in its filter will trigger Active Discovery on these sensors.\r\nIt means that only the components that have been filtered by this particular preset will be scanned.\r\nBasic configuration workflow\r\nTo configure Active Discovery, you must perform the following steps:\r\n• Deploy a sensor with the required configuration: IP address, VLAN, gateway or routes.\r\n• Create an Active Discovery policy containing the protocols needed and their respective parameters.\r\n• Create an Active Discovery profile with a policy, target IP addresses and and set an execution time or\r\nrun it once.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n4\r\nOverview\r\nDesign considerations\n\nCHAPTER 3\r\nSensor configuration\r\nThe Active Discovery configuration procedure will vary depending on the sensor model, whether it is a switch,\r\na router or a Cisco IC3000.\r\nTo configure Active Discovery on a switch or a router, the sensors must have been previously deployed using\r\nthe IOx sensor application file with Active Discovery. In this case, the Active Discovery button should appear\r\nin the sensor right side panel in Cisco Cyber Vision's Sensor Explorer page.\r\nOn a Cisco IC3000, you can configure Active Discovery performing a manual configuration or redeploying\r\nthe sensor via the sensor extension.\r\n• Configure Active Discovery on a Cisco switch or router, on page 5\r\n• Configure Active Discovery on a Cisco IC3000, on page 9\r\nConfigure Active Discovery on a Cisco switch or router\r\nBefore you begin\r\nThis procedure is applicable to:\r\n• Cisco IE3300 10G, Cisco IE3400 and Cisco IE9300.\r\n• Cisco Catalyst 9300, Cisco Catalyst 9300X and Cisco Catalyst 9400.\r\n• Cisco IR1101 and Cisco IR8340 Integrated Services Router Rugged\r\nThe sensors must have been deployed using the IOx sensor application file with Active Discovery.\r\nProcedure\r\nStep 1 Navigate to Admin \u003e Sensors \u003e Sensor Explorer.\r\nStep 2 Select a sensor in the list.\r\nThe sensor right side panel appears. The Active Discovery button is displayed if the sensor is compatible.\r\nIf there is no Active Discovery button in the panel, you must redeploy the sensor using the IOx application file with\r\nActive Discovery.\r\nStep 3 Click the Active Discovery button.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n5\n\nThe Active Discovery Configuration window pops up:\r\nStep 4 If necessary, tick the Use collection interface check box for Active Discovery to use the Collection network interface\r\nto do discovery on the same subnet as the sensor IP, or using the sensor Collection gateway.\r\nThe Collection network interface is added in the list on the right.\r\nStep 5 Click + New network interfaces for the sensor to perform Active Discovery on additional subnetworks.\r\nStep 6 Fill the following parameters to set dedicated network interfaces:\r\n• IP address\r\n• Prefix length\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n6\r\nSensor configuration\r\nConfigure Active Discovery on a Cisco switch or router\n\n• VLAN number\r\nStep 7 Click Add.\r\nYou can add as many network interfaces as needed, like below.\r\nStep 8 Click OK.\r\nThe following schemas show how Active Discovery is created and how packets navigate inside the switch\r\n(in red).\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n7\r\nSensor configuration\r\nConfigure Active Discovery on a Cisco switch or router\n\nFigure 1: IE3300 10G and IE3400:\r\nFigure 2: Catalyst 9300 and Catalyst 9400:\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n8\r\nSensor configuration\r\nConfigure Active Discovery on a Cisco switch or router\n\nFigure 3: IR8340:\r\nWhat to do next\r\nProceed to Policies configuration, on page 13.\r\nConfigure Active Discovery on a Cisco IC3000\r\nBefore you begin\r\nThis procedure is applicable to the Cisco IC3000 Industrial Compute Gateway.\r\nThe sensors must have been deployed using the IOx sensor application file with Active Discovery.\r\nProcedure\r\nStep 1 Navigate to Admin \u003e Sensors \u003e Sensor Explorer.\r\nStep 2 Select a sensor in the list.\r\nThe sensor right side panel appears. The Active Discovery button is displayed if the sensor is compatible.\r\nIf there is no Active Discovery button in the panel, you must redeploy the sensor using the IOx application file with\r\nActive Discovery.\r\nStep 3 Click the Active Discovery button.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n9\r\nSensor configuration\r\nConfigure Active Discovery on a Cisco IC3000\n\nThe Active Discovery Configuration window pops up:\r\nStep 4 If necessary, tick the Use collection interface check box for Active Discovery to use the Collection network interface\r\nto do discovery on the same subnet as the sensor IP, or using the sensor Collection gateway.\r\nThe Collection network interface is added in the list on the right.\r\nStep 5 Click + New network interface for the sensor to perform Active Discovery on additional subnetworks.\r\nStep 6 Select a physical interface and fill the following parameters to set a dedicated network interface:\r\n• IP address\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n10\r\nSensor configuration\r\nConfigure Active Discovery on a Cisco IC3000\n\n• Prefix length\r\n• VLAN number\r\nStep 7 Click Add.\r\nThe network interfaces appears on the right.\r\nYou can add as many network interfaces as needed.\r\nStep 8 Click Configure.\r\nThe following schema shows how Active Discovery is created and how packets navigate inside the Cisco\r\nIC3000 (in red).\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n11\r\nSensor configuration\r\nConfigure Active Discovery on a Cisco IC3000\n\nWhat to do next\r\nProceed to Policies configuration, on page 13.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n12\r\nSensor configuration\r\nConfigure Active Discovery on a Cisco IC3000\n\nCHAPTER 4\r\nPolicies configuration\r\n• Create a policy, on page 13\r\n• Set Active Discovery Broadcast, on page 14\r\n• Set Active Discovery Unicast, on page 16\r\n• Modify a policy, on page 27\r\nCreate a policy\r\nAn Active Discovery policy is a list of settings which define protocols and their parameters that will be used\r\nto inspect the industrial network. The policy will be applied to an IP address, an IP range and/or a preset and\r\nused on a list of sensors and components.\r\nProcedure\r\nStep 1 Navigate to Admin \u003e Active Discovery \u003e Policies .\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n13\n\nStep 2 Click + Create policy.\r\nA Create an Active Discovery policy overlay appears.\r\nWhat to do next\r\n• Set Active Discovery Broadcast, on page 14\r\n• Set Active Discovery Unicast, on page 16\r\nSet Active Discovery Broadcast\r\nBefore you begin\r\nActive Discovery is compatible with the following Broadcast protocols:\r\n• EtherNet/IP\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n14\r\nPolicies configuration\r\nSet Active Discovery Broadcast\n\n• Siemens S7\r\n• Profinet\r\n• ICMPv6\r\nThe sensor will send requests on all defined interfaces.\r\nProcedure\r\nStep 1 Type a policy name.\r\nStep 2 Toggle the Broadcast protocol buttons ON to enable Active Discovery on these protocols.\r\nStep 3 Leave the Retry and Timeout settings with the default values (3 and 10).\r\nRetry: number of request attempts.\r\nTimeout: waiting time in seconds for a response.\r\nStep 4 Click Create to finish or add Unicast configurations to the policy.\r\nWhat to do next\r\nSet Active Discovery Unicast, on page 16\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n15\r\nPolicies configuration\r\nSet Active Discovery Broadcast\n\nSet Active Discovery Unicast\r\nBefore you begin\r\nProcedure\r\nStep 1 Give the policy a name.\r\nStep 2 Under Unicast configuration, click + Add protocol-specific configuration.\r\nStep 3 Click the Select protocol dropdown menu and select a protocol.\r\nWhat to do next\r\nSee herebelow configurations per protocol.\r\nSet Active Discovery Unicast BACnet\r\nSet Active Discovery Unicast BacNet to search for devices and components with BacNet requests. All\r\ncomponents with an IPV4 address will be queried.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n16\r\nPolicies configuration\r\nSet Active Discovery Unicast\n\nProcedure\r\nStep 1 Toggle the Enable button ON.\r\nStep 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5).\r\nStep 3 Click Save.\r\nThe menu closes.\r\nStep 4 Click Create.\r\nSet Active Discovery Unicast DNP3\r\nSet Active Discovery Unicast DNP3 to search for devices and components with DNP3 requests. All components\r\nwith an IPV4 address will be queried.\r\nBefore you begin\r\nProcedure\r\nStep 1 Toggle the Enable button ON.\r\nStep 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5).\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n17\r\nPolicies configuration\r\nSet Active Discovery Unicast DNP3\n\nStep 3 Leave the Source Address and Max Destination Address with the default values (0 and 16).\r\nStep 4 Click Save.\r\nThe menu closes.\r\nStep 5 Click Create.\r\nSet Active Discovery Unicast Ethernet/IP\r\nSet Active Discovery Unicast Ethernet/IP to search for devices and components with Ethernet/IP requests.\r\nAll components with an IPV4 address will be queried.\r\nProcedure\r\nStep 1 Toggle the Enable button ON.\r\nStep 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5).\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n18\r\nPolicies configuration\r\nSet Active Discovery Unicast Ethernet/IP\n\nStep 3 You can toggle the Backplane discovery button ON. Active Discovery will look for the different module details within\r\nthe discovered chassis.\r\nStep 4 Click Save.\r\nThe menu closes.\r\nStep 5 Click Create.\r\nSet Active Discovery Unicast Melsoft\r\nSet Active Discovery Unicast Melsoft to search for devices and components with Melsoft requests. All\r\nMitsubitshi components with an IPV4 address will be queried.\r\nProcedure\r\nStep 1 Toggle the Enable button ON.\r\nStep 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5).\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n19\r\nPolicies configuration\r\nSet Active Discovery Unicast Melsoft\n\nStep 3 Click Save.\r\nThe menu closes.\r\nStep 4 Click Create.\r\nSet Active Discovery Unicast Modbus\r\nSet Active Discovery Unicast Modbus to search for devices and components with Modbus requests. All\r\ncomponents with an IPV4 address will be queried.\r\nProcedure\r\nStep 1 Toggle the Enable button ON.\r\nStep 2 Leave the Retry attempts and Timeout settings with the default values (1 and 5).\r\nStep 3 Click Save.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n20\r\nPolicies configuration\r\nSet Active Discovery Unicast Modbus\n\nThe menu closes.\r\nStep 4 Click Create.\r\nSet Active Discovery Unicast OMRON\r\nSet Active Discovery Unicast OMRON to search for devices and components with FINS requests. All\r\ncomponents with an IPV4 address will be queried.\r\nProcedure\r\nStep 1 Toggle the Enable button ON.\r\nStep 2 Leave the Retry attempts and Timeout settings with the default values (1 and 5).\r\nStep 3 Click Save.\r\nThe menu closes.\r\nStep 4 Click Create.\r\nSet Active Discovery Unicast SiemensS7\r\nSet Active Discovery Unicast SiemensS7 to search for devices and components with SiemensS7 requests.\r\nSiemensS7 is a communication protocol used on Siemens PLCs. Siemens PLCs with an IPV4 address will\r\nbe queried.\r\nProcedure\r\nStep 1 Toggle the Enable button ON.\r\nStep 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5).\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n21\r\nPolicies configuration\r\nSet Active Discovery Unicast OMRON\n\nStep 3 Enter a number of racks and slots to be queried.\r\nSlot: number of modules to search for within a chassis.\r\nStep 4 Click Save.\r\nThe menu closes.\r\nStep 5 Click Create.\r\nSet Active Discovery Unicast SiemensS7plus\r\nSet Active Discovery Unicast SiemensS7plus to search for devices and components with SiemensS7plus\r\nrequests. SiemensS7plus is a communication protocol used on the latest Siemens PLCs. Siemens PLCs with\r\nan IPV4 address will be queried.\r\nProcedure\r\nStep 1 Toggle the Enable button ON.\r\nStep 2 Leave the Retry attempts and Timeout settings with the default values (1 and 5).\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n22\r\nPolicies configuration\r\nSet Active Discovery Unicast SiemensS7plus\n\nStep 3 Click Save.\r\nThe menu closes.\r\nStep 4 Click Create.\r\nSet Active Discovery Unicast SNMPv2c\r\nSet Active Discovery Unicast SNMPv2c to search for devices and components with SNMPv2c requests. All\r\ncomponents with an IPV4 address will be queried. Default OIDs are requested for all devices and some specific\r\nOIDs are requested based on the vendor and the type of components.\r\nProcedure\r\nStep 1 Toggle the Enable button ON.\r\nStep 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5).\r\nStep 3 Type a community string for authentication.\r\nThe community string is defined by IT or network administrators. The value \"public\" is often used by default.\r\nStep 4 You can toggle the Enable SNMPv1 fallback button ON. Active Discovery will look for PLCs and I/O chassis with\r\nmodule details.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n23\r\nPolicies configuration\r\nSet Active Discovery Unicast SNMPv2c\n\nStep 5 Click Save.\r\nThe menu closes.\r\nStep 6 Click Create.\r\nRefer to the Annex appended at the end of this document to see examples of Unicast SNMPv2c results and\r\ndetailed information about packets.\r\nSet Active Discovery Unicast SNMPv3\r\nSet Active Discovery Unicast SNMPv3 to search for devices and components with SNMPv3 requests. All\r\ncomponents with an IPV4 address will be queried. Default OIDs are requested for all devices and some specific\r\nOIDs are requested based on the vendor and the type of components.\r\nProcedure\r\nStep 1 Toggle the Enable button ON.\r\nStep 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5).\r\nStep 3 Type a community string for authentication.\r\nThe community string is defined by IT or network administrators. The value \"public\" is often used by default.\r\nStep 4 Select the proper security and privacy level based on the information provided by the IT or network administrators.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n24\r\nPolicies configuration\r\nSet Active Discovery Unicast SNMPv3\n\nAll options available on SNMPv3 are implemented in Cisco Cyber Vision. Three security levels are available:\r\n• Disable both authentication and privacy.\r\nOnly a username is requested for authentication.\r\n• Enable authentication and disable privacy.\r\nAuthentication will be based on HMAC-MD5 or HMAC-SHA algorithms.\r\nSelect the algorithm to use and provide a username and an authentication password.\r\n• Enable both authentication and privacy.\r\nIn addition to the previous level, a DES or AES encryption of the content is requested. Select the level of encryption\r\nto use and provide a username and an authentication password. In addition, you must provide a password used for\r\nthe encryption.\r\nStep 5 Click Save.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n25\r\nPolicies configuration\r\nSet Active Discovery Unicast SNMPv3\n\nThe menu closes.\r\nStep 6 Click Create.\r\nRefer to the Annex appended at the end of this document to see examples of Unicast SNMPv3 results and\r\ndetailed information about packets.\r\nSet Active Discovery Unicast WMI\r\nSet Active Discovery Unicast WMI (Windows Management Instrumentation) to collect Windowsinformation\r\nlike local-host names and operating system versions.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n26\r\nPolicies configuration\r\nSet Active Discovery Unicast WMI\n\nProcedure\r\nStep 1 Toggle the Enable button ON.\r\nStep 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5).\r\nStep 3 Enter a Windows user account and password with the suitable WMI rights.\r\nAn Active Directory user account for authentication on multiple hosts with single login credentials can also be used.\r\nStep 4 Click Save.\r\nThe menu closes.\r\nStep 5 Click Create.\r\nModify a policy\r\nProcedure\r\nStep 1 Navigate to Admin \u003e Active Discovery \u003e Policies.\r\nStep 2 Click the policy in the list you want to modify.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n27\r\nPolicies configuration\r\nModify a policy\n\nAn overlay appears with the policy's configurations.\r\nStep 3 Click Edit, Duplicate or Delete.\r\nIf you clicked Edit, an Edit policy overlay appears.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n28\r\nPolicies configuration\r\nModify a policy\n\nStep 4 You can toggle the buttons ON/OFF to enable/disable broadcast protocols.\r\nStep 5 Click the pencil button to edit Unicast protocols settings.\r\nThe Unicast configuration panels appears below the list of Unicast protocols.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n29\r\nPolicies configuration\r\nModify a policy\n\nStep 6 Make the necessary modifications.\r\nStep 7 Click Save.\r\nThe overlay closes.\r\nStep 8 Click Update.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n30\r\nPolicies configuration\r\nModify a policy\n\nCHAPTER 5\r\nProfiles configuration\r\n• Set an Active Discovery profile, on page 31\r\nSet an Active Discovery profile\r\nSet an Active Discovery profile by adding a policy, targetting IP addresses and arranging a schedule.\r\nProcedure\r\nStep 1 On Cisco Cyber Vision, navigate to Admin \u003e Active Discovery \u003e Profiles.\r\nStep 2 Click the Create profile button.\r\nA form to create an Active Discovery profile pops up.\r\nStep 3 Give the profile a name.\r\nStep 4 Select a policy to base the profile on.\r\nStep 5 Set target IP addresses: different options are available, such as:\r\n• selecting a preset: the preset's device list will be used to list the IPaddresses to be queried. In other words, the Active\r\nDiscovery engine will use the IPv4 inside a component list to build its own list of components to check. You can\r\nuse default and custom presets.\r\n• setting IP targets: you can directly add the IP adresses, IP ranges and subnets you want to be queried.\r\n• selecting sensors: all IPadresses detected by a sensor will be queried. You can also tick the Use allsensors available\r\noption.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n31\n\nStep 6 Optionally, you can arrange a schedule for Active Discovery to be launched. To do so:\r\na) Toggle ON the Schedule periodic discoveries button.\r\nAdditional options to setup appear:\r\nb) Set a time range by selecting a start and end date and time.\r\nThe end date and time is optional. If you don't set it, Active Discovery will be launched endlessly.\r\nc) Set a frequency. You can set it to hourly, daily, weekly and monthly.\r\nStep 7 Click Create.\r\nThe profile is added to the list and discovery is enabled by default if scheduling is set.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n32\r\nProfiles configuration\r\nSet an Active Discovery profile\n\nCHAPTER 6\r\nLaunch Active Discovery\r\n• Launch Active Discovery, on page 33\r\nLaunch Active Discovery\r\nEnable Active Discovery on the profiles created. You can run it once or launch the scheduling if it's paused.\r\nProcedure\r\nStep 1 On Cisco Cyber Vision, navigate to Admin \u003e Active Discovery \u003e Profiles.\r\nStep 2 Click a profile in the list.\r\nIts right side panel opens.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n33\n\nStep 3 You can run the discovery once or resume scheduling.\r\n• Click Run once.\r\nA message indicating that Active Discovery will be launched soon appears.\r\n• Click Resume scheduling.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n34\r\nLaunch Active Discovery\r\nLaunch Active Discovery\n\nThe scheduling status switches from paused to scheduled.\r\nThe discovery will be launched as configured.\r\nYou can change these configurations clicking Edit.\r\nStep 4 You can click the link in the last discovery column to see a profile's Active Discovery results.\r\nA window opens with the result details.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n35\r\nLaunch Active Discovery\r\nLaunch Active Discovery\n\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n36\r\nLaunch Active Discovery\r\nLaunch Active Discovery\n\nCHAPTER 7\r\nAnnex: Active Discovery protocols\r\nAll protocols implemented in the Active Discovery feature use standard packets commonly used by vendors.\r\nThe system will never send requests on the network without a clear configuration made by the user. It is\r\npossible to schedule requests at a pre-defined frequency.\r\nDiscovered devices' responses will depend on the protocol implemented by the manufacturer and the user\r\nconfiguration. Except for what is clearly stated in this documentation, no specific configuration is required\r\non discovered devices. Devices may give an answer by default, but it can vary in the field depending on the\r\nconfiguration.\r\nThis annex gives examples of the packets used by Cisco Cyber Vision to discover devices and of typical\r\nanswers the user can expect.\r\n• BACnet, on page 38\r\n• DNP3, on page 39\r\n• EtherNet/IP, on page 39\r\n• Melsoft, on page 44\r\n• Modbus, on page 45\r\n• OMRON, on page 46\r\n• Profinet Multicast, on page 46\r\n• S7 Broadcast, on page 47\r\n• S7 Unicast, on page 48\r\n• S7Plus, on page 49\r\n• ICMPv6 Multicast, on page 50\r\n• SNMP Unicast, on page 50\r\n• WMI, on page 58\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n37\n\nBACnet\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n38\r\nAnnex: Active Discovery protocols\r\nBACnet\n\nDNP3\r\nEtherNet/IP\r\nEthernet/IP Active Discovery can be performed by Cisco Cyber Vision using Broadcast or Unicast mode. In\r\nany case, requests sent and component properties collected in return will be the same. The main differences\r\nwill be:\r\n• Broadcast will discover all devices in the local LAN.\r\n• Unicast will only discover the devices and components which have an IPv4 address.\r\n• Unicast will search for, once an EtherNet/IP node is discovered, the devices' content. If a device is a\r\nchassis with a backplane, it will be queried and all modules will send their properties.\r\nThe EtherNet/IP command used is the List Identity request (0x00063). This command will be sent to the IPv4\r\nbroadcast address or direclty to an IPv4 address or to a module inside a backplane behind an IPv4 address.\r\nThe result whether in Broadcast or Unicast will always be the same CIP Identity response (0x000c) with the\r\nfollowing properties:\r\n# Name Cyber Vision Properties Example\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n39\r\nAnnex: Active Discovery protocols\r\nDNP3\n\n1 Vendor ID enip-vendor Rockwell Automation/Allen-Bradley\r\n2 Device Type enip-devicetype ProgrammableLogicController\r\n3 Product Code enip-productcode 235\r\n4 Revision enip-version 33.012\r\nAtLeastOneIOConnectionInRunMode,\r\nMinorRecoverableFault,\r\nReservedBits12-15:0x3\r\n5 Status enip-status\r\n6 Serial Number enip-serial 01105356\r\n7 Product Name enip-name 1756-L81ES/B\r\nEtherNet/IP Broadcast or Unicast\r\nA Broadcast Ethernet/IP Active Discovery consists of a packet sent by the sensor which requests EtherNet/IP\r\nidentities to all devices in the local LAN. For example, a sensor with an Active Discovery IPv4 address\r\n192.168.20.192/24 will send this EtherNet/IP request to the Broadcast address, here 192.168.20.255. All\r\ndevices in the IPv4 range 192.168.20.0 to 192.168.20.254 will answer with the packet described above (CIP\r\nIdentity response (0x000c)).\r\nA direct Unicast Ethernet/IP(i.e. no backplane) will consist of the same request but sent directly to the device.\r\nWhen a preset is configured to query EtherNet/IP devices, the system will take the list of components of this\r\npreset which have an IPv4 address. Then, the Active Discovery engine will try to reach each IPv4 with this\r\nEtherNet/IPidentitiesrequest. All reachable EtherNet/IPnodes of thislist will answer with the packet described\r\nabove (CIP Identity response (0x000c)).\r\nIn both cases (Broadcast and Unicast), the answer will be sent by the discovered devices to the sensor's Active\r\nDiscovery network interface. The answer will be a UDP packet for the Broadcast request and some TCP\r\npackets for the Unicast request.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n40\r\nAnnex: Active Discovery protocols\r\nEtherNet/IP Broadcast or Unicast\n\nFigure 4: Example of properties received from a Rockwell Automation EtherNet/IP communication adapter (1756-EN2T):\r\nFigure 5: Example of properties received from a Rockwell Automation EtherNet/IP safety controller (1756-L81ES):\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n41\r\nAnnex: Active Discovery protocols\r\nEtherNet/IP Broadcast or Unicast\n\nFigure 6: Example of properties received from a Schneider Eletric EtherNet/IP controller (TM221ME16R):\r\nEthernet/IP backplane discovery\r\nTo browse backplanes, the Active Discovery policy with the Unicast EtherNet/IP protocol enabled needs to\r\nhave the backplane discovery option set to enabled.\r\nIn such case, all EtherNet/IP nodes detected by Active Discovery Ethernet/IP Unicast will be queried again\r\nby the sensor. The sensor will try to know the backplane size and then send a request to the different modules\r\n(link addresses form 0 to the chassis size). All modules will then send their properties such as the product\r\nreference and the firmware version.\r\nFor example, an Ethernet/IP communication adapter with the IPv4 192.168.20.22 was first discovered. Then,\r\nall seven slots of the chassis backplane were queried. Four of them have answered back, which allowed Cisco\r\nCyber Vision to build a Controller Rack:\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n42\r\nAnnex: Active Discovery protocols\r\nEthernet/IP backplane discovery\n\nA controller and a firmware version were discovered in the slot 0 of this backplane thanksto Active Discovery:\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n43\r\nAnnex: Active Discovery protocols\r\nEthernet/IP backplane discovery\n\nMelsoft\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n44\r\nAnnex: Active Discovery protocols\r\nMelsoft\n\nModbus\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n45\r\nAnnex: Active Discovery protocols\r\nModbus\n\nOMRON\r\nProfinet Multicast\r\nCisco Cyber Vision Active Discovery can use a Profinet DCP service called Identify Request. This request\r\nwill be sent by the sensor interfaces defined for Active Discovery. All Profinet devices will answer with a\r\nspecific Profinet DCP identify response packet.\r\nThe request is sent by the sensor MAC address to a specific Ethernet Multicast address: 01:0e:cf:00:00:00.\r\nThis Profinet DCP Multicast address will allow Cisco Cyber Vision to join all Profinet nodes on the local\r\nLAN. The answer of each node will be a specific Profinet DCP packet sent to the sensor MAC address.\r\nThe information collected are:\r\n• The IP address + mask.\r\n• The Manufacturer name.\r\n• The name of the station.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n46\r\nAnnex: Active Discovery protocols\r\nOMRON\n\nFigure 7: For example, a Siemens S7-1500 controller:\r\nS7 Broadcast\r\nCyber Vision Active Discovery can use a request on the protocolS7 discovery with a command: \"identification\".\r\nThis request will be sent by the sensor interfaces defined for Active Discovery. All S7 devices will answer\r\nwith a specific S7 Discovery identification response packet.\r\nThe request is sent by the sensor MAC address to the Ethernet broadcast address: ff:ff:ff:ff:ff:ff. The answer\r\nof each S7 protocol capable node will be a specific S7 discovery packet sent by the device MAC address to\r\nthe sensor MAC address.\r\nThe information collected are:\r\n• The model name.\r\n• The name of the device.\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n47\r\nAnnex: Active Discovery protocols\r\nS7 Broadcast\n\nFigure 8: For example, a Siemens S7-300 controller:\r\nS7 Unicast\r\nThe Active Discovery engine uses a specific S7 Unicast command to request properties from S7-compatible\r\ndevices, such as:\r\n• Hardware reference\r\n• Firmware version\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n48\r\nAnnex: Active Discovery protocols\r\nS7 Unicast\n\nS7Plus\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n49\r\nAnnex: Active Discovery protocols\r\nS7Plus\n\nICMPv6 Multicast\r\nFor the ICMPv6 Active Discovery protocol, the Cisco Cyber Vision sensor will use an ICMPv6 Echo request\r\n(ping) to the all-nodes link-local scope multicast address. The sensor will thus ping all IPv6 nodes on the local\r\nlink. All reachable nodes will answer back with their link-local IPv6 address and their MAC address.\r\nCisco Cyber Vision sensors use a specific ICMPv6 packet, echo request (type 128) to the address ff02::1 (All\r\nnodes on the local network segment) with a hop limit of 1.\r\nThe different nodes will answer with a ICMPv6 Neighbor solicitation (type 135 ) to the Solicited-Node\r\nMulticast address which has the form ff02::1::ff with the least-significant 24 bits of the sensor IPv6 Unicast\r\naddress.\r\nFigure 9: For example, a sensor with IPv6: fe80::d2ec:35ff:feca:962a is requesting ff:02::1. Three different devices are answering back:\r\nSNMP Unicast\r\nCisco Cyber Vision sensor can use the SNMP protocol to collect network devices information.\r\nSNMP Active Discovery results highly depend on the configuration, type and version of the queried devices.\r\nSome devices might respond without any specific configuration, others might need complex configurations,\r\nand others not respond at all.\r\nWhile doing SNMP Active Discovery, the sensor will try to read some generic and vendor-specific values.\r\nThe generic values will be used by the sensor to build extra queries based on vendors and hardware models.\r\nGeneric values collected are:\r\nProperty Description\r\nsnmp-sys-descr Description\r\nsnmp-sys-name Name\r\nThe Cisco Cyber Vision sensor Active Discovery supports:\r\n• SNMP Version 2c (SNMPv2c) with a fallback in SNMP Version 1 (SNMPv1).\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n50\r\nAnnex: Active Discovery protocols\r\nICMPv6 Multicast\n\n• SNMP Version 3 (SNMPv3).\r\nSNMPv3 Active Discovery is able to provide authentication and encryption.\r\nAll SNMP versions will give the same results in the Cisco Cyber Vision application. They are important\r\nregarding data access. The subsequent section describes the SNMP results with different types of network\r\ndevices.\r\nAD SNMP with Schneider PLC\r\nThe Cisco Cyber Vision SNMP Active Discovery with Schneider Electric PLC requests generic values\r\n(snmp-sys-descr and snmp-sys-name).\r\nTypcical results with nodes where SNMP is enabled by defaut are:\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n51\r\nAnnex: Active Discovery protocols\r\nAD SNMP with Schneider PLC\n\nAD SNMP with Siemens PLC\r\nThe Cisco Cyber VisionSNMP Active Discovery withSiemensPLC requests generic values(snmp-sys-descr\r\nand snmp-sys-name).\r\nTypical results with nodes where SNMP is enabled by defaut are:\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n52\r\nAnnex: Active Discovery protocols\r\nAD SNMP with Siemens PLC\n\nAD SNMP with Rockwell PLC\r\nThe Cisco Cyber Vision SNMP Active Discovery with Rockwell Automation PLC requests generic values\r\n(snmp-sys-descr and snmp-sys-name).\r\nTypical results with nodes where SNMP is enabled by defaut are:\r\nAD SNMP with Moxa switches\r\nThe Cisco Cyber VisionSNMP Active Discovery with Moxa switchesrequests generic values(snmp-sys-descr\r\nand snmp-sys-name) with the addition of:\r\nProperty Description\r\nsnmp-moxapriv-model-name Model\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n53\r\nAnnex: Active Discovery protocols\r\nAD SNMP with Rockwell PLC\n\nFirmware\r\nversion\r\nsnmp-moxapriv-fw-version\r\nTypical results with nodes where SNMP is enabled by defaut are:\r\nAD SNMP with Siemens Switches\r\nThe Cisco Cyber Vision SNMP Active Discovery with Siemens switches requests generic values\r\n(snmp-sys-descr and snmp-sys-name) with the addition of:\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n54\r\nAnnex: Active Discovery protocols\r\nAD SNMP with Siemens Switches\n\nProperty Description\r\nsnmp-siemens-scalence-model-ref Model\r\nFirmware\r\nversion\r\nsnmp-siemens-scalence-model-version\r\nTypical results with nodes where SNMP is enabled by defaut are:\r\nAD SNMP with Hirschmann hardware\r\nThe Cisco Cyber Vision SNMP Active Discovery with Hirschmann switches requests generic values\r\n(snmp-sys-descr and snmp-sys-name) with the addition of:\r\nProperty Description\r\nsnmp-hmpriv-mgmt-model-ref Model\r\nFirmware\r\nversion\r\nsnmp-hmpriv-mgmt-fw-version\r\nsnmp-hm2-indus-model-ref Model\r\nFirmware\r\nversion\r\nsnmp-hm2-indus-fw-version\r\nsnmp-hm-disc-fw-version Model\r\nFirmware\r\nversion\r\nsnmp-hm-disc-model-ref\r\nTypical results with nodes where SNMP is enabled by defaut are:\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n55\r\nAnnex: Active Discovery protocols\r\nAD SNMP with Hirschmann hardware\n\nAD SNMP with Cisco hardware\r\nThe Cisco Cyber VisionSNMP Active Discovery with Cisco Hardware demandssome specific configurations\r\non the device side and requests generic values (snmp-sys-descr and snmp-sys-name) with the addition of:\r\nProperty Description\r\nsnmp-ent-physical-model-name Model\r\nsnmp-ent-physical-entry Description\r\nsnmp-ent-physical-serial-number Serial number\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n56\r\nAnnex: Active Discovery protocols\r\nAD SNMP with Cisco hardware\n\nFirmware\r\nversion\r\nsnmp-probe-software-rev\r\nTypical results with nodes where SNMP is enabled by defaut are:\r\nAD SNMP with Microsoft Windows OS\r\nThe Cisco Cyber Vision SNMP Active Discovery with Microsoft Windows stations demands a specific\r\noperating system configuration and requests generic values (snmp-sys-descr and snmp-sys-name) with the\r\naddition of:\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n57\r\nAnnex: Active Discovery protocols\r\nAD SNMP with Microsoft Windows OS\n\nProperty Description\r\nDomain name of the\r\nmachine\r\nsnmp-primary-domain-name\r\nTypical results with nodes where SNMP is enabled by defaut are:\r\nWMI\r\nWMI is used to collect the following Windows hosts' properties.\r\n• wmi-caption: operating system's name and version\r\n• wmi-kb-list: security updates installed in the host\r\n• wmi-last-update: latest update date\r\n• wmi-name: host name\r\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n58\r\nAnnex: Active Discovery protocols\r\nWMI\n\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n59\r\nAnnex: Active Discovery protocols\r\nWMI\n\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\r\n60\r\nAnnex: Active Discovery protocols\r\nWMI\n\nCisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0\nFirst Published: 2022-05-06\nLast Modified: 2024-03-05\nAmericas Headquarters\nCisco Systems, Inc.\n170 West Tasman Drive\nSan Jose, CA 95134-1706\nUSA \nhttp://www.cisco.com \nTel: 408 526-4000 \n800 553-NETS (6387)\nFax: 408 527-0883",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"pdf"
	],
	"references": [
		"https://www.cisco.com/c/en/us/td/docs/security/cyber_vision/publications/Active-Discovery/Release-4-3-0/b_Cisco_Cyber_Vision_Active_Discovery_Configuration_Guide.pdf"
	],
	"report_names": [
		"b_Cisco_Cyber_Vision_Active_Discovery_Configuration_Guide.pdf"
	],
	"threat_actors": [
		{
			"id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf",
			"created_at": "2023-01-06T13:46:38.626906Z",
			"updated_at": "2026-04-29T06:58:56.273838Z",
			"deleted_at": null,
			"main_name": "Tick",
			"aliases": [
				"Nian",
				"BRONZE BUTLER",
				"REDBALDKNIGHT",
				"STALKER PANDA",
				"G0060",
				"Stalker Taurus",
				"PLA Unit 61419",
				"Swirl Typhoon"
			],
			"source_name": "MISPGALAXY:Tick",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "54e55585-1025-49d2-9de8-90fc7a631f45",
			"created_at": "2025-08-07T02:03:24.563488Z",
			"updated_at": "2026-04-29T06:58:57.562267Z",
			"deleted_at": null,
			"main_name": "BRONZE BUTLER",
			"aliases": [
				"CTG-2006 ",
				"Daserf",
				"Stalker Panda ",
				"Swirl Typhoon ",
				"Tick "
			],
			"source_name": "Secureworks:BRONZE BUTLER",
			"tools": [
				"ABK",
				"BBK",
				"Casper",
				"DGet",
				"Daserf",
				"Datper",
				"Ghostdown",
				"Gofarer",
				"MSGet",
				"Mimikatz",
				"Netboy",
				"RarStar",
				"Screen Capture Tool",
				"ShadowPad",
				"ShadowPy",
				"T-SMB",
				"down_new",
				"gsecdump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b",
			"created_at": "2022-10-25T16:07:23.419513Z",
			"updated_at": "2026-04-29T06:58:57.797209Z",
			"deleted_at": null,
			"main_name": "Bronze Butler",
			"aliases": [
				"Bronze Butler",
				"CTG-2006",
				"G0060",
				"Operation ENDTRADE",
				"RedBaldNight",
				"Stalker Panda",
				"Stalker Taurus",
				"Swirl Typhoon",
				"TEMP.Tick",
				"Tick"
			],
			"source_name": "ETDA:Bronze Butler",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"9002 RAT",
				"AngryRebel",
				"Blogspot",
				"Daserf",
				"Datper",
				"Elirks",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"HomamDownloader",
				"Homux",
				"Hydraq",
				"Lilith",
				"Lilith RAT",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"Minzen",
				"Moudour",
				"Muirim",
				"Mydoor",
				"Nioupale",
				"PCRat",
				"POISONPLUG.SHADOW",
				"Roarur",
				"RoyalRoad",
				"ShadowPad Winnti",
				"ShadowWali",
				"ShadowWalker",
				"SymonLoader",
				"WCE",
				"Wali",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"XShellGhost",
				"XXMM",
				"gsecdump",
				"rarstar"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1777429233,
	"ts_updated_at": 1777450932,
	"ts_creation_date": 1755523680,
	"ts_modification_date": 1755498571,
	"files": {
		"pdf": "https://archive.orkl.eu/ace2c3b4db7c78540bd6338865791d47d8db6fe9.pdf",
		"text": "https://archive.orkl.eu/ace2c3b4db7c78540bd6338865791d47d8db6fe9.txt",
		"img": "https://archive.orkl.eu/ace2c3b4db7c78540bd6338865791d47d8db6fe9.jpg"
	}
}