.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
RSA Application Rules- 3
- Column 1: Enumerates Local Administrators
- Column 2: enumerates_local_administrators
- Column 3: Enumeration of local administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = enumerates local administrators - Column 4: endpoint
- Column 5: "discovery":"account discovery"
- Column 1: Enumerates Local Administrators On Domain Controller
- Column 2: enumerates_local_administrators_on_domain_controller
- Column 3: Enumeration of local administrators on domain controller can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = enumerates local administrators on domain controller - Column 4: endpoint
- Column 5: "discovery":"account discovery"
- Column 1: Enumerates Local Groups
- Column 2: enumerates_local_groups
- Column 3: Enumeration of local groups can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = enumerates local groups - Column 4: endpoint
- Column 5: "discovery":"account discovery"
- Column 1: Enumerates Local Services
- Column 2: enumerates_local_services
- Column 3: Enumeration of local services can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* analysis.file = enumerates local services - Column 4: endpoint
- Column 5: "discovery":"system information discovery"
- Column 1: Enumerates Local Users
- Column 2: enumerates_local_users
- Column 3: Enumeration of local users can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = enumerates local users - Column 4: endpoint
- Column 5: "discovery":"account discovery"
- Column 1: Enumerates Logical Disk
- Column 2: enumerates_logical_disk
- Column 3: Enumeration of logical disk can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = enumerates logical disk - Column 4: endpoint
- Column 5: "discovery":"system information discovery"
- Column 1: Enumerates Mapped Resources
- Column 2: enumerates_mapped_resources
- Column 3: Enumeration of mapped resources can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* analysis.file = enumerates mapped resources - Column 4: endpoint
- Column 5: "discovery":"system network connections discovery"
- Column 1: Enumerates Network Connections
- Column 2: enumerates_network_connections
- Column 3: Enumeration of network connections can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* analysis.file = enumerates network connections - Column 4: endpoint
- Column 5: "discovery":"system network connections discovery"
- Column 1: Enumerates Primary Domain Controller
- Column 2: enumerates_primary_domain_controller
- Column 3: Enumeration of primary domain controller can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = enumerates primary domain controller - Column 4: endpoint
- Column 5: "discovery":"remote system discovery"
- Column 1: Enumerates Processes On Local System
- Column 2: enumerates_processes_on_local_system
- Column 3: Enumeration of processes on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* analysis.file = enumerates processes on local system - Column 4: endpoint
- Column 5: "discovery":"process discovery"
- Column 1: Enumerates Processes On Remote System
- Column 2: enumerates_processes_on_remote_system
- Column 3: Enumeration of processes on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = enumerates processes on remote system - Column 4: endpoint
- Column 5: "discovery":"process discovery"
- Column 1: Enumerates Remote Netbios Name Table
- Column 2: enumerates_remote_netbios_name_table
- Column 3: Enumeration of remote netbios name table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = enumerates remote netbios name table - Column 4: endpoint
- Column 5: "discovery":"system network configuration discovery"
- Column 1: Enumerates Remote Resources
- Column 2: enumerates_remote_resources
- Column 3: Enumeration of remote resources can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = enumerates remote resources - Column 4: endpoint
- Column 5: "discovery":"network share discovery"
- Column 1: Enumerates Route Table
- Column 2: enumerates_route_table
- Column 3: Enumeration of routing table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* analysis.file = enumerates route table - Column 4: endpoint
- Column 5: "discovery":"system network configuration discovery"
- Column 1: Enumerates Services Hosted In Processes
- Column 2: enumerates_services_hosted_in_processes
- Column 3: Enumeration of services hosted in processes can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* analysis.file = enumerates services hosted in processes - Column 4: endpoint
- Column 5: "discovery":"system information discovery"
- Column 1: Enumerates System Info
- Column 2: enumerates_system_info
- Column 3: Enumeration of system information can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = enumerates system info - Column 4: endpoint
- Column 5: "discovery":"system information discovery"
- Column 1: Enumerates Trusted Domains
- Column 2:
- Column 3: endpoint
- Column 4: "discovery":"remote system discovery"
- Column 1: Etc Password Get Request
- Column 2: nw50005
- Column 3: Detects a get request for "/etc/passwd"
- Column 4: log, packet
- Column 5: "credential access":"credential dumping", "credential access":"credentials in files"
- Column 1: Etc Shadow Get Request
- Column 2: nw50010
- Column 3: Detects attempted get request for /etc/shadow
- Column 4: log, packet
- Column 5: "credential access":"credential dumping", "credential access":"credentials in files"
- Column 1: Evasive Powershell Used Over Network
- Column 2: evasive_powershell_used_over_network
- Column 3: This rule will trigger when PowerShell with evasive options will be detected through a network event. Automated tools like PowerShell Empire run evasive remote PowerShell commands through network. Adversaries can use such technique for execution while evading defenses.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = evasive powershell used over network - Column 4: endpoint
- Column 5: "execution":"powershell", "defense evasion":""
- Column 1: Event Viewer Executes Uncommon Binary
- Column 2: event_viewer_executes_uncommon_binary
- Column 3: Event viewer executing uncommon binary can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = event viewer executes uncommon binary - Column 4: endpoint
- Column 5: "privilege escalation":"bypass user account control"
- Column 1: exe filetype but not exe extension
- Column 2: exe_filetype_but_not_exe_extension
- Column 3: An executable was detected in the session but no filename with an "exe" extension was seen in the same session.
- Column 4: packet
- Column 5: "defense evasion":"masquerading"
- Column 1: Executable In ADS
- Column 2: executable_in_ads
- Column 3: Leveraging Alternate Data Streams can be a way to mask a malicious file inside a data stream of another binary, which can then be executed by launching the file it is forked into
- Column 4: endpoint
- Column 5: "defense evasion":"ntfs file attributes"
- Column 1: Execute DLL Through Rundll32
- Column 2: execute_dll_through_rundll32
- Column 3: Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.
VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = execute dll through rundll32 - Column 4: endpoint
- Column 5: "execution":"rundll32", "defense evasion":"rundll32"
- Column 1: Explorer Public Folder DLL Load
- Column 2: explorer_public_folder_dll_load
- Column 3: This rule will return hits from 'explorer.exe' launching the Windows OS process 'rundll32.exe' that leverages the folders "Public\\Libraries" or 'ClassWindow'
VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)
DEPENDENCIES
* NetWitness Endpoint Server
GENERATED META KEYS
* boc = explorer public folder dll load - Column 4: endpoint
- Column 5: "execution":"rundll32" ,