Skip to content
  • There are no suggestions because the search field is empty.

RSA Application Rules

RSA Application Rules

The following table lists all of the delivered RSA Application Rules.

For syntax and examples for application rules, see Application Rules Cheat Sheet.

Note: For content that has been discontinued, see Discontinued Content.

If you want to view only Endpoint application rules, click here: RSA Application Rules for Endpoint.

  • Display Name: Accesses Administrative Share Using Command Shell
  • File Name: accesses_administrative_share_using_command_shell
  • Description: Accessing administrative share using command shell can be an indicator of someone trying for lateral movement or privilege escalation by using hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. This rule is supported for Windows 8 and higher versions.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = accesses administrative share using command shell
  • Medium: endpoint
  • Tag: "lateral movement":"windows admin shares"

  • Display Name: Activates BITS Job
  • File Name: activates_bits_job
  • Description: Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * ioc = activates bits job
  • Medium: endpoint
  • Tag: "lateral movement":"remote file copy"

  • Display Name: Adds Files To BITS Download Job
  • File Name: adds_files_to_bits_download_job
  • Description: Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * ioc = adds files to bits download job
  • Medium: endpoint
  • Tag: "lateral movement":"remote file copy"

  • Display Name: Adds Firewall Rule
  • File Name: adds_firewall_rule
  • Description: Adding firewall rule can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = adds firewall rule
  • Medium: endpoint
  • Tag: "defense evasion":"disabling security tools"

  • Display Name: Allocates Remote Memory
  • File Name: allocates_remote_memory
  • Description: In Mac, a process not signed by Apple has allocated memory in another process. Most allocations will only occur within the same process and by processes signed by Apple. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = allocates remote memory
  • Medium: endpoint
  • Tag: "defense evasion":"process injection", "privilege escalation":"process injection"

  • Display Name: Antivirus Disabled
  • File Name: antivirus_disabled
  • Description: Disabling antivirus can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * eoc = antivirus disabled
  • Medium: endpoint
  • Tag: "defense evasion":"disabling security tools"

  • Display Name: Archive Extension Mismatch
  • File Name: nw20080
  • Description: Creates meta when an archive file is detected without an archive file extension.

    VERSIONS SUPPORTED
    * 10.5 and higher

    DEPENDENCIES
    Lua Parsers:
    * fingerprint_zip
    * fingerprint_gzip
    * fingerprint_7zip
    * fingerprint_rar_lua
    Feeds:
    * investigation

    GENERATED META KEYS
    * alert.id = 'nw20080'
    * analysis.session = 'archive extension mismatch'
  • Medium: packet
  • Tag: "defense evasion":"masquerading"

  • Display Name: Archive From IP Address
  • File Name: nw20085
  • Description: archive directly from an ip address with no corresponding alias.host meta. Often indicative of a second stage tool download after a foothold has been established.
  • Medium: packet
  • Tag: "command and control":"remote file copy"

  • Display Name: Archiving Software Reads Multiple Documents
  • File Name: archiving_software_reads_multiple_documents
  • Description: Multiple documents read could be an indication of someone creating a large archive.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = archiving software reads multiple documents
  • Medium: endpoint
  • Tag: "exfiltration":"data compressed"

  • Display Name: Attachment Overload
  • File Name: nw00005
  • Description: Rule looks for more than 4 attachments in a single session.
  • Medium: packet
  • Tag: "initial access":"spearphishing attachment"

  • Display Name: Autorun
  • File Name: autorun
  • Description: Indicates applications or commands that are configured to run on system startup.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = autorun
  • Medium: endpoint
  • Tag: "persistence":"registry run keys / startup folder"

  • Display Name: Autorun Debian Package Mismatch
  • File Name: autorun_debian_package_mismatch
  • Description: A hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since debian packages typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.5 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = autorun debian package mismatch
  • Medium: endpoint
  • Tag: "defense evasion":"masquerading"

  • Display Name: Autorun File Path Not Part Of Debian Package
  • File Name: autorun_file_path_not_part_of_debian_package
  • Description: Installation or updates of software on Linux systems is typically done through a debian package. Executables outside of this packing format could be considered suspicious.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.5 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = autorun file path not part of debian package
  • Medium: endpoint
  • Tag: "persistence":""

  • Display Name: Autorun File Path Not Part Of RPM
  • File Name: autorun_file_path_not_part_of_rpm
  • Description: Installation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = autorun file path not part of rpm
  • Medium: endpoint
  • Tag: "persistence":""

  • Display Name: Autorun Invalid Signature Windows Directory
  • File Name: autorun_invalid_signature_windows_directory
  • Description: This rule will return any file with an invalid signature located in the following Windows directories: C:\\ProgramData, C:\\Users\\ \\AppData\\Roaming, C:\\Users\\ \\AppData\\Local, C:\\Windows

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 (Investigation Only)


    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * ioc = autorun key contains non-printable characters
  • Medium: endpoint
  • Tag: "persistence":"registry run keys / startup folder"

  • Display Name: Autorun RPM Mismatch
  • File Name: autorun_rpm_mismatch
  • Description: A hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate.
  • Medium: endpoint
  • Tag: "defense evasion":"masquerading"

  • Display Name: Autorun Unsigned Active Setup
  • File Name: autorun_unsigned_active_setup
  • Description: Active Setup is a mechanism for executing commands once per user early during login and executed by explorer.exe. To ensure persistence across reboots and log-offs attackers use active setup which is even more suspicious when it is unsigned.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = autorun unsigned active setup
  • Medium: endpoint
  • Tag: "defense evasion":"modify registry"

  • Display Name: Autorun Unsigned AppInit_DLLs
  • File Name: autorun_unsigned_appinit_dlls
  • Description: Unsigned Autorun AppInit_DLLs can be an indiaction of attacker trying to abused registry key values for DLLs to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = autorun unsigned appinit_dlls
  • Medium: endpoint
  • Tag: "persistence":"appinit dlls", "privilege escalation":"appinit dlls"

  • Display Name: Autorun Unsigned BHO
  • File Name: autorun_unsigned_bho
  • Description: BHOs can be used to monitor user browsing habits and deliver targeted advertising as well as steal information. BHOs Unsigned and configured to run on system startup are used for persistence and are suspicious.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = autorun unsigned bho
  • Medium: endpoint
  • Tag: "persistence":"browser extensions"

  • Display Name: Autorun Unsigned BootExecute Registry Startup Method
  • File Name: autorun_unsigned_bootexecute_registry_startup_method
  • Description: Unsigned Autorun BootExecute registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = autorun unsigned bootexecute registry startup method
  • Medium: endpoint
  • Tag: "persistence":"registry run keys / startup folder"

  • Display Name: Autorun Unsigned Explorer Registry Startup Method
  • File Name: autorun_unsigned_explorer_registry_startup_method
  • Description: Unsigned Autorun explorer registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = autorun unsigned explorer registry startup method
  • Medium: endpoint
  • Tag: "persistence":"registry run keys / startup folder"

  • Display Name: Autorun Unsigned Hidden
  • File Name: autorun_unsigned_hidden
  • Description: Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evasion. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = autorun unsigned hidden
  • Medium: endpoint
  • Tag: "defense evasion":"hidden files and directories", "persistence":"hidden files and directories"

  • Display Name: Autorun Unsigned Hidden Only Executable In Directory
  • File Name: autorun_unsigned_hidden_only_executable_in_directory
  • Description: This rule will return any unsigned executable file launched as an autorun which has the "Hidden" Windows Property.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 (Investigation Only)
    * NetWitness Platform 11.4 and higher (Full Support)

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = autorun unsigned hidden only executable in directory
  • Medium: endpoint
  • Tag: "defense evasion":"hidden files and directories" ,



Attachments:
RSA Application Rules.pdf