RSA Application Rules- 4

• Column 1: Hidden And Hooking
• Column 2: hidden_and_hooking
• Column 3: Hooking may be used to intercept and execute code in response to events. If the file is hidden, this could indicate an attempt is being made to evade detection by an attacker.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 (Investigation Only)
  * NetWitness Platform 11.4 and higher (Full Support)
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = hidden and hooking
• Column 4: endpoint
• Column 5: "persistence":"hooking", "defense evasion":"hidden files and directories", "persistence":"hidden files and directories"

• Column 1: Hidden In AppData
• Column 2: hidden_in_appdata
• Column 3: Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
• Column 4: endpoint
• Column 5: "defense evasion":"hidden files and directories"

• Column 1: Hidden Plist And Autorun
• Column 2: hidden_plist_and_autorun
• Column 3: plist (Property List) is a flexible and convenient format for storing application data. Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = hidden plist and autorun
• Column 4: endpoint
• Column 5: "persistence":"hidden files and directories"

• Column 1: Hidden Running As Root
• Column 2: hidden_running_as_root
• Column 3: A file is typically hidden to prevent users from accidentally changing them on a filesystem. A hidden file running with root privileges may indicate an attacker behavior to evade detection and install malware to maintain persistence.
• Column 4: endpoint
• Column 5: "defense evasion":"hidden files and directories"

• Column 1: High Risk File From Blacklisted Host
• Column 2: nw20065
• Column 3: Executable download from a host on a blacklist feed.
• Column 4: packet
• Column 5: "execution":""

• Column 1: Hooks Audio Output Function
• Column 2: hooks_audio_output_function
• Column 3: A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = hooks audio output function
• Column 4: endpoint
• Column 5: "persistence":"hooking"

• Column 1: Hooks Authentication Function
• Column 2: hooks_authentication_function
• Column 3: A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = hooks authentication function
• Column 4: endpoint
• Column 5: "persistence":"hooking"

• Column 1: Hooks Crypto Function
• Column 2: hooks_crypto_function
• Column 3: A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = hooks crypto function
• Column 4: endpoint
• Column 5: "persistence":"hooking"

• Column 1: Hooks DnsQuery Function
• Column 2: hooks_dnsquery_function
• Column 3: A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = hooks dnsquery function
• Column 4: endpoint
• Column 5: "persistence":"hooking"

• Column 1: Hooks GUI Function
• Column 2: hooks_gui_function
• Column 3: A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = hooks gui function
• Column 4: endpoint
• Column 5: "persistence":"hooking"

• Column 1: Hooks Network HTTP Function
• Column 2: hooks_network_http_function
• Column 3: A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = hooks network http function
• Column 4: endpoint
• Column 5: "persistence":"hooking"

• Column 1: Hooks Network IO Function
• Column 2: hooks_network_io_function
• Column 3: A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = hooks network io function
• Column 4: endpoint
• Column 5: "persistence":"hooking"

• Column 1: Hooks NtLdr Function
• Column 2: hooks_ntldr_function
• Column 3: A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = hooks ntldr function
• Column 4: endpoint
• Column 5: "persistence":"hooking"

• Column 1: Hooks Registry Access Function
• Column 2: hooks_registry_access_function
• Column 3: A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = hooks registry access function
• Column 4: endpoint
• Column 5: "persistence":"hooking"

• Column 1: Hooks Registry Enumeration Function
• Column 2: hooks_registry_enumeration_function
• Column 3: A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = hooks registry enumeration function
• Column 4: endpoint
• Column 5: "persistence":"hooking"

• Column 1: HTTP Daemon Runs Command Prompt
• Column 2: http_daemon_runs_command_prompt
• Column 3: HTTP daemon running command prompt can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = http daemon runs command prompt
• Column 4: endpoint
• Column 5: "persistence":"web shell"

• Column 1: HTTP Daemon Runs Powershell
• Column 2: http_daemon_runs_powershell
• Column 3: HTTP daemon running powershell can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = http daemon runs powershell
• Column 4:

• Column 1: IE DEP Disabled
• Column 2: ie_dep_disabled
• Column 3: Disabling IE DEP can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * eoc = ie dep disabled
• Column 4: endpoint
• Column 5: "defense evasion":"disabling security tools"

• Column 1: IE Enhanced Security Disabled
• Column 2: ie_enhanced_security_disabled
• Column 3: Disabling IE enhanced security can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * eoc = ie enhanced security disabled
• Column 4: endpoint
• Column 5: "defense evasion":"disabling security tools"

• Column 1: In AppData Directory
• Column 2: in_appdata_directory
• Column 3: These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = in appdata directory
• Column 4: endpoint
• Column 5: "defense evasion":"hidden files and directories"

• Column 1: In Hidden Directory
• Column 2: in_hidden_directory
• Column 3: To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = in hidden directory
• Column 4: endpoint
• Column 5: "defense evasion":"hidden files and directories"

• Column 1: In Recycle Bin Directory
• Column 2: in_recycle_bin_directory
• Column 3: A file found in recycle bin directory may be suspicious.
• Column 4: endpoint
• Column 5: "defense evasion":"hidden files and directories"

• Column 1: In Root Of AppDataLocal Directory
• Column 2: in_root_of_appdatalocal_directory
• Column 3: These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = in root of appdatalocal directory
• Column 4: endpoint
• Column 5: "defense evasion":"hidden files and directories"

• Column 1: In Root Of AppDataRoaming Directory
• Column 2: in_root_of_appdataroaming_directory
• Column 3: These locations are used often by malware authors to store malicious payloads ,