Skip to content
  • There are no suggestions because the search field is empty.

RSA Application Rules- 2

  • Column 1: Created In Last Month
  • Column 2: created_in_last_month
  • Column 3: Files created in the last month may be reviewed for malicious intent.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = created in last month
  • Column 4: endpoint
  • Column 5: "":""

  • Column 1: Creates Browser Extension
  • Column 2: creates_browser_extension
  • Column 3: Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. Malicious extensions once installed can browse to websites in the background, steal all information that a user enters into a browser and be used as an installer for a RAT for persistence.
  • Column 4: endpoint
  • Column 5: "persistence":"browser extensions"

  • Column 1: Creates Domain User Account
  • Column 2: creates_domain_user_account
  • Column 3: Creating domain user account can be an indication of adversaries with a sufficient level of access creating a domain user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = creates domain user account
  • Column 4: endpoint
  • Column 5: "persistence":"create account"

  • Column 1: Creates Executable In Startup Directory
  • Column 2: creates_executable_in_startup_directory
  • Column 3: Creating executable in startup directory can an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = creates executable in startup directory
  • Column 4: endpoint
  • Column 5: "persistence":"registry run keys / startup folder"

  • Column 1: Creates Local Driver Service
  • Column 2: creates_local_driver_service
  • Column 3: Creating local driver service can be an indication of someone trying to maintain a persistent access on the system using driver services which can execute under SYSTEM privileges, modify the registry and create back

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = creates local driver service
  • Column 4: endpoint
  • Column 5: "persistence":"new service"

  • Column 1: Creates Local Service
  • Column 2: creates_local_service
  • Column 3: Creating local service can be an indication of someone trying to maintain a persistent presence on the system using local services which can modify the registry, escalate privileges and create backdoor.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = creates local service
  • Column 4: endpoint
  • Column 5: "persistence":"new service"

  • Column 1: Creates Local Task
  • Column 2: creates_local_task
  • Column 3: Creating local task can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = creates local task
  • Column 4: endpoint
  • Column 5: "persistence":"scheduled task"

  • Column 1: Creates Local User Account
  • Column 2: creates_local_user_account
  • Column 3: Creating local user account can be an indication of adversaries with a sufficient level of access creating a local user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = creates local user account
  • Column 4: endpoint
  • Column 5: "persistence":"create account"

  • Column 1: Creates Password-Protected Archive
  • Column 2: creates_password-protected_archive
  • Column 3: Password-protected archive files can be used to exfiltrate sensitive data since contents cannot be examined.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = creates password-protected archive
  • Column 4: endpoint
  • Column 5: "exfiltration":"data compressed"

  • Column 1: Creates Recursive Archive
  • Column 2: creates_recursive_archive
  • Column 3: Creating a recursive archive could be an attempt to exfiltrate many files at once.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = creates recursive archive
  • Column 4: endpoint
  • Column 5: "exfiltration":"data compressed"

  • Column 1: Creates Remote Process Using WMI Command-Line Tool
  • Column 2: creates_remote_process_using_wmi_command-line_tool
  • Column 3: Creating remote process using WMI command-line tool can be an indication of someone trying to use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for discovery and remote execution of files as part of Lateral Movement.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = creates remote process using wmi command-line tool
  • Column 4: endpoint
  • Column 5: "execution":"windows management instrumentation"

  • Column 1: Creates Remote Service
  • Column 2: creates_remote_service
  • Column 3: Creating remote service can be an indication of someone trying to maintain a persistent presence on the system using remote services which can modify the registry, escalate privileges and create backdoor.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = creates remote service
  • Column 4: endpoint
  • Column 5: "persistence":"new service"

  • Column 1: Creates Remote Task
  • Column 2: creates_remote_task
  • Column 3: Creating remote task can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = creates remote task
  • Column 4: endpoint
  • Column 5: "persistence":"scheduled task"

  • Column 1: Creates Run Key
  • Column 2: creates_run_key
  • Column 3: Creating new run key can be an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = creates run key
  • Column 4: endpoint
  • Column 5: "persistence":"registry run keys / startup folder"

  • Column 1: Creates Shadow Volume For Logical Drive
  • Column 2: creates_shadow_volume_for_logical_drive
  • Column 3: Creating shadow volume for logical drive can be indication of someone trying to dump credentials using shadow backup copies of systems to be able to Creates remote taskCreates remote taskgain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = creates shadow volume for logical drive
  • Column 4: endpoint
  • Column 5: "credential access":"credential dumping"

  • Column 1: Creates Suspicious Service Running Command Prompt
  • Column 2: creates_suspicious_service_running_command_prompt
  • Column 3: Creates suspicious service running command prompt can be an indication of someone trying to create and run malicious services to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = creates suspicious service running command prompt
  • Column 4: endpoint
  • Column 5: "execution":"service execution"