Skip to content
  • There are no suggestions because the search field is empty.

RSA Application Rules- 12

  • Column 1: Web Access: Pastebin
  • Column 2: nw110040
  • Column 3: Detects the existence of "pastebin.com or post.php" in a URL string. Pastebin is a very common site for quickly distributing sensitive data, posting and retrieving malicious and benign code snippets, and is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns as well as focused attacks against servers hosting the data.
  • Column 4: log, packet
  • Column 5: "command and control":"web service", "defense evasion":"web service"

  • Column 1: Web Access: Rghost
  • Column 2: nw110035
  • Column 3: Detects the existence of "rghost.net" in a URL string.Rghost is a very common site for quickly distributing sensitive data and posting and retrieving malicious ( as well as benign) code snippets.It is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns, as well as focused attacks against servers hosting the data.Additionally, it is a large online repository for searchable malware executables
  • Column 4: log, packet
  • Column 5: "command and control":"web service", "defense evasion":"web service"

  • Column 1: Windows Credential Harvesting Services
  • Column 2: nw05415
  • Column 3: This rule applies to windows services being installed that are known to be used for pass the hash and brute force attacks. These may include psexec, wce, pwdump, cachedump, gsecdump.
  • Column 4: log
  • Column 5: "lateral movement":"pass the hash", "credential access":"brute force"

  • Column 1: Windows Firewall Disabled
  • Column 2: windows_firewall_disabled
  • Column 3: Disabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.
  • Column 4: endpoint
  • Column 5: "defense evasion":"disabling security tools"

  • Column 1: Windows Task Runs Powershell
  • Column 2: windows_task_runs_powershell
  • Column 3: Windows task running powershell can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = windows task runs powershell
  • Column 4: endpoint
  • Column 5: "persistence":"scheduled task"

  • Column 1: Windows Update Disabled
  • Column 2: windows_update_disabled
  • Column 3: Disabling windows update can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * eoc = windows update disabled
  • Column 4: endpoint
  • Column 5: "defense evasion":"disabling security tools"

  • Column 1: WMIC Remote Node Activity
  • Column 2: wmic_remote_node_activity
  • Column 3: This rule returns instance of the Windows OS process 'wmic.exe' being leveraged with the '/node' parameter. With the proper credentials leveraged an attacker can get information about a system

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 (Investigation Only)
    * NetWitness Platform 11.4 and higher (Full Support)

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = wmic remote node activity
  • Column 4: endpoint
  • Column 5: "execution":"windows management instrumentation"

  • Column 1: Wmiprvse Runs Command Shell
  • Column 2: wmiprvse_runs_command_shell
  • Column 3: Windows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. Wmiprvse running command shell can be an indication of someone trying to run malicious commands in cmd.exe to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = wmiprvse runs command shell
  • Column 4: endpoint
  • Column 5: "execution":"windows management instrumentation"

  • Column 1: Wmiprvse Runs Powershell
  • Column 2: wmiprvse_runs_powershell
  • Column 3: Common cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Wmiprvse running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = wmiprvse runs powershell
  • Column 4: endpoint
  • Column 5: "execution":"windows management instrumentation"

  • Column 1: Wmiprvse Runs Scripting Engine
  • Column 2: wmiprvse_runs_scripting_engine
  • Column 3: Windows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. Wmiprvse running scripting engine can be an indication of someone trying to run malicious scripts to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = wmiprvse runs scripting engine
  • Column 4: endpoint
  • Column 5: "execution":"windows management instrumentation"

  • Column 1: Writes Blacklisted File
  • Column 2: writes_blacklisted_file
  • Column 3: An analyst may mark files as blacklisted within NetWitness Endpoint. If actions on an endpoint involve those blacklisted files being written, then this rule will trigger.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = writes blacklisted file
  • Column 4: endpoint
  • Column 5: "execution":""

  • Column 1: Writes Executable To Recycle Bin Directory
  • Column 2: writes_executable_to_recycle_bin_directory
  • Column 3: A technique has been used by malware authors where a malicious file or process is invoked and running out of the $RECYCLE.BIN folder on Windows systems. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = writes executable to recycle bin directory
  • Column 4: endpoint
  • Column 5: "defense evasion":"hidden files and directories"

  • Column 1: Writes Executable To Root Of Logical Drive
  • Column 2: writes_executable_to_root_of_logical_drive
  • Column 3: A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file boc = writes executable to root of logical drive
  • Column 4: endpoint
  • Column 5: "execution":"user execution"

  • Column 1: Writes Executable To Root Of Program Directory
  • Column 2: writes_executable_to_root_of_program_directory
  • Column 3: A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file boc = writes executable to root of program directory
  • Column 4: endpoint
  • Column 5: "execution":"user execution"

  • Column 1: Writes Executable To Root Of Users Directory
  • Column 2: writes_executable_to_root_of_users_directory
  • Column 3: A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file boc = writes executable to root of users directory
  • Column 4: endpoint
  • Column 5: "execution":"user execution"

  • Column 1: Writes Executable To System Volume Information Directory
  • Column 2: writes_executable_to_system_volume_information_directory
  • Column 3:

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = writes executable to system volume information directory
  • Column 4: endpoint
  • Column 5: "defense evasion":"hidden files and directories"

  • Column 1:
  • Column 2: endpoint
  • Column 3: "execution":""

  • Column 1: Writes Malicious File By Reputation Service
  • Column 2: writes_malicious_file_by_reputation_service
  • Column 3: Files reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * ioc = writes malicious file by reputation service
  • Column 4: endpoint
  • Column 5: "execution":""

  • Column 1: Writes Suspicious File By Reputation Service
  • Column 2: writes_suspicious_file_by_reputation_service
  • Column 3: Files reported as suspicious by reputation service indicates execution of files and hashes of which are tagged as suspicious.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * ioc = writes suspicious file by reputation service
  • Column 4: endpoint
  • Column 5: "execution":""

, ,> , ,> BACK ,