RSA Application Rules 11

• Column 1: System Restore Disabled
• Column 2: system_restore_disabled
• Column 3: Disabling system restore can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * eoc = system restore disabled
• Column 4: endpoint
• Column 5: "defense evasion":"disabling security tools"

• Column 1: Taidoor Malware
• Column 2: nw22335
• Column 3: Detects malicious outbound traffic between Malware Taidoor and command and control server. Either the HTTP_lua or HTTP native parser and traffic_flow parser is required.
  Reference this RSA Link blog post from RSA Research for more details about this threat:
  https://community.rsa.com/thread/185493
• Column 4: packet
• Column 5: "command and control":"data encoding", "exfiltration":"exfiltration over command and control channel"

• Column 1: Task Manager Disabled
• Column 2: task_manager_disabled
• Column 3: Task Manager provides information about processes running on your system and their memory use. Disabling task manager may prevent a user from seeing anomalous processes.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * eoc = task manager disabled
• Column 4: endpoint
• Column 5: "defense evasion":"disabling security tools"

• Column 1: Tasks In ProgramData Directory
• Column 2: tasks_in_programdata_directory
• Column 3: Tasks running out of a hidden directory indicates defense measures to hide malicious execution.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = tasks in programdata directory
• Column 4: endpoint
• Column 5: "execution":"scheduled task", "defense evasion":"hidden files and directories"

• Column 1: tdss_rootkit_variant_beaconing
• Column 2: app000002
• Column 3: Detects the beaconing activity of the TDSS Rootkit botnet.
• Column 4: log, packet
• Column 5: "defense evasion":"rootkit", "exfiltration":""

• Column 1: Tendrit Malware
• Column 2: nw22320
• Column 3: Detects malicious outbound traffic between backdoor/malware Tendrit variants and command and control server. Either the HTTP_lua or HTTP native parser is required.
  Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/05/09/detecting-tendrit-variants-using-security-analytics
• Column 4: packet
• Column 5: "command and control":"data encoding", "exfiltration":"data encrypted", "exfiltration":"exfiltration over command and control channel"

• Column 1: Terminates Process
• Column 2: terminates_process
• Column 3: Terminating process can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = terminates process
• Column 4: endpoint
• Column 5: "defense evasion":"disabling security tools"

• Column 1: Tor Outbound
• Column 2: nw00035
• Column 3: Detects an encrypted network sessions as well as log sessions to an external (non RFC-1918) IP destination that shows at least one indicator of using the Tor protocol for anonymous data access. The possible indicators of Tor are: Communication over a common Tor destination port of 9001, 9030, 9101, 9003, 9050, 9051 or communication with a known Tor tunnel node.
  
  DEPENDENCIES
  Packets:
  Lua Parsers:
  * traffic_flow
  * TLS_lua
  Feeds:
  * Tor Exit Nodes
  * Investigation
  
  Logs:
  Lua Parsers:
  * traffic_flow
  Feeds:
  * Tor Exit Nodes
  * Investigation
  Log Parsers:
  * Atleast one parser with device.class='Firewall' or device.type='rsaflow'
  
  GENERATED META KEYS
  * analysis.session= tunneling outbound tor
  * inv.category = assurance
  * inv.context = compliance, corporate, organizational hazard, risk
• Column 4: log, packet
• Column 5: "command and control":"multilayer encryption", "command and control":"multi-hop proxy"

• Column 1: Torrent File Download
• Column 2: nw70010
• Column 3: Detects the download of a .torrent file.
• Column 4: log, packet
• Column 5: "":""

• Column 1: Transfers File Using BITS
• Column 2: transfers_file_using_bits
• Column 3: Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * ioc = transfers file using bits
• Column 4: endpoint
• Column 5: "lateral movement":"remote file copy"

• Column 1: Trojan BLT
• Column 2: nw22300
• Column 3: Detects malicious outbound traffic due to installation of Trojan BLT variants. Either the HTTP_lua or HTTP native parser is required.
  
  Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/12/04/detecting-trojanblt-variants-using-security-analytics
• Column 4: packet
• Column 5: "discovery":"system network configuration discovery", "exfiltration":"exfiltration over command and control channel", "command and control":"standard application layer protocol"

• Column 1: tsone dorkbot beaconing
• Column 2: app000003
• Column 3: Detects hosts infected with the TSONE Dorkbot.
• Column 4: packet
• Column 5: "command and control":""

• Column 1: UAC Disabled
• Column 2: uac_disabled
• Column 3: Disabling UAC can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * eoc = uac disabled
• Column 4: endpoint
• Column 5: "privilege escalation":"bypass user account control"

• Column 1: Unexpected csrss.exe Parent
• Column 2: unexpected_csrss.exe_parent
• Column 3: Presence of unexpected csrss.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = unexpected csrss.exe parent
• Column 4: endpoint
• Column 5: "defense evasion":"masquerading"

• Column 1: Unexpected Explorer.exe Destination Location
• Column 2: unexpected_explorer.exe_destination_location
• Column 3: Explorer.exe at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for.
• Column 4: endpoint
• Column 5: "defense evasion":"masquerading"

• Column 1: Unexpected explorer.exe Parent
• Column 2: unexpected_explorer.exe_parent
• Column 3: Presence of unexpected explorer.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = unexpected explorer.exe parent
• Column 4: endpoint
• Column 5: "defense evasion":"masquerading"

• Column 1: Unexpected Explorer.exe Source Location
• Column 2: unexpected_explorer.exe_source_location
• Column 3: Explorer.exe at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for.
• Column 4: endpoint
• Column 5: "defense evasion":"masquerading"

• Column 1: Unexpected lsass.exe Parent
• Column 2:

• Column 1: Unsigned Creates Remote Thread
• Column 2: unsigned_creates_remote_thread
• Column 3: A file that is unsigned or with an invalid signature is trying to create a remote thread into a process. Without the digital validation, this file should not be trusted without analysis.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file boc = unsigned creates remote thread
• Column 4: endpoint
• Column 5: "privilege escalation":"process injection", "defense evasion":"process injection"

• Column 1: Unsigned Creates Remote Thread And File Hidden
• Column 2: unsigned_creates_remote_thread_and_file_hidden
• Column 3: This rule will return any unsigned and hidden files that leverage the Windows API "CreateRemoteThread" functionality.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 (Investigation Only)
  * NetWitness Platform 11.4 and higher (Full Support)
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = unsigned creates remote thread and file hidden
• Column 4: endpoint
• Column 5: "defense evasion":"process injection", "privilege escalation":"process injection", "defense evasion":"hidden files and directories", "persistence":"hidden files and directories"

• Column 1: Unsigned Cron Job
• Column 2: unsigned_cron_job
• Column 3: The software utility cron is used to schedule jobs (commands or scripts) to run periodically.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = unsigned cron job
• Column 4: endpoint
• Column 5: "persistence":"local job scheduling", "execution":"local job scheduling"

• Column 1: Unsigned Deletes Self
• Column 2: unsigned_deletes_self
• Column 3: A file deletes itself as detected by checksum. Malware may be attempting to hide its spread through the network.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = unsigned deletes self
• Column 4: endpoint
• Column 5: "defense evasion":"file deletion"

• Column 1: Unsigned Kext
• Column 2: unsigned_kext
• Column 3: Kext signature validation is a code signing requirement for all extensions and drivers located in the extensions folder. A file that is unsigned should be examined as possible malware.
• Column 4: endpoint
• Column 5: "defense evasion":"code signing"

• Column 1: Unsigned Library In Suspicious Daemon
• Column 2: unsigned_library_in_suspicious_daemon
• Column 3: This rule will trigger for OS MAC if an unsigned library is found associated with a suspicious daemon. Adversaries can inject libraries to be run in background processes like daemon for persistence and evasion.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.4 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = unsigned library in suspicious daemon
• Column 4: endpoint
• Column 5: "":""

• Column 1: Unsigned Module In Signed Process
• Column 2: unsigned_module_in_signed_process
• Column 3: All threads spawned from a signed process should also be signed. An unsigned module may indicate process injection. Malware commonly utilizes process injection to access system resources through which persistence and other environment modifications can be made.
• Column 4: endpoint
• Column 5: "defense evasion":"process injection"

• Column 1: Unsigned Opens LSASS
• Column 2: unsigned_opens_lsass
• Column 3: This rule will return any unsigned filename which opens/accesses the Windows OS process 'lsass.exe'. This type of activity can be indicitivate of credential stealers.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 (Investigation Only)
  * NetWitness Platform 11.4 and higher (Full Support)
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = unsigned opens lsass
• Column 4: endpoint
• Column 5: "credential access":"credential dumping"

• Column 1: Unsigned Reserved Name
• Column 2: unsigned_reserved_name
• Column 3:
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * ioc = unsigned reserved name
• Column 4: endpoint
• Column 5: "defense evasion":"masquerading"

• Column 1: Unsigned Runs Python
• Column 2: unsigned_runs_python
• Column 3: An unsigned process is running a python script.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = unsigned runs python
• Column 4: endpoint
• Column 5: "execution":"scripting"

• Column 1: Unsigned Writes Executable
• Column 2: unsigned_writes_executable
• Column 3: A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = unsigned writes executable
• Column 4: endpoint
• Column 5: "execution":"user execution"

• Column 1: Unsigned Writes Executable To AppDataLocal Directory
• Column 2: unsigned_writes_executable_to_appdatalocal_directory
• Column 3: A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation ,