Skip to content
  • There are no suggestions because the search field is empty.

RSA Application Rules- 5

  • Column 1: Lists Firewall Products
  • Column 2: lists_firewall_products
  • Column 3: Listing firewall products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = lists firewall products
  • Column 4: endpoint
  • Column 5: "discovery":"security software discovery"

  • Column 1: Locky Malware
  • Column 2: nw22355
  • Column 3: Detects malicious outbound traffic between a system infected with Locky Ransomware and command and control server.

    REFERENCES
    Reference this RSA Link blog post from RSA Research for more details about this threat:
    https://community.rsa.com/community/products/netwitness/blog/2016/10/03/nemucod-and-locky

    DEPENDENCIES
    Lua Parsers
    * HTTP_lua
    * traffic_flow
    Feeds
    * NetWitness

    GENERATED META KEYS
    * ioc = locky malware
    * inv.category = threat
    * inv.context = malware, crimeware
  • Column 4: packet
  • Column 5: "impact":"data encrypted for impact", "command and control":"standard application layer protocol"

  • Column 1: Login Bypass Configured
  • Column 2: login_bypass_configured
  • Column 3: Accessibility features that may be launched with a key combination before a user has logged in . A login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * eoc = login bypass configured
  • Column 4: endpoint
  • Column 5: "persistence":"accessibility features", "privilege escalation":"accessibility features", "privilege escalation":"image file execution options injection", "persistence":"image file execution options injection", "defense evasion":"image file execution options injection"

  • Column 1: LSASS Access
  • Column 2: lsass_access
  • Column 3: Detects suspicious access to lsass.exe through sysmon logs. This process access indicates probable credential dumping.

    DEPENDENCIES
    Log Parsers:
    * At least one of the Windows log device parsers
    Feeds:
    * Investigation

    GENERATED META KEYS
    * ioc = lsass access
    * inv.category = identity, threat
    * inv.context = attack phase, action on objectives, lateral movement
  • Column 4: log
  • Column 5: "credential access":"credential dumping", "execution":"lsass driver", "persistence":"lsass driver"

  • Column 1: LUA Disabled
  • Column 2: lua_disabled
  • Column 3: Windows User Account Controls (UAC) will not notify the user when programs try to make changes to the computer. UAC was formerly known as Limited User Account (LUA). This can be an attempt to bypass UAC.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * eoc = lua disabled
  • Column 4: endpoint
  • Column 5: "defense evasion":"bypass user account control", "privilege escalation":"bypass user account control"

  • Column 1: Mac Firewall Disabled
  • Column 2: mac_firewall_disabled
  • Column 3: Disabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.
  • Column 4: endpoint
  • Column 5: "defense evasion":"disabling security tools"

  • Column 1: Malicious File By Reputation Service
  • Column 2: malicious_file_by_reputation_service
  • Column 3: Files reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * ioc = malicious file by reputation service
  • Column 4: endpoint
  • Column 5: "execution":""

  • Column 1: Maps Administrative Share
  • Column 2: maps_administrative_share
  • Column 3: Mapping administrative share can be an indicator of someone trying for lateral movement or privilege escalation by using hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions
  • Column 4: endpoint
  • Column 5: "lateral movement":"windows admin shares"

  • Column 1: Maps IPC$ Share
  • Column 2: maps_ipc$_share
  • Column 3: Mapping IPC$ share can be an indicator of someone trying for lateral movement or privilege escalation by using hidden IPC$ shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = maps ipc$ share
  • Column 4: endpoint
  • Column 5: "lateral movement":"windows admin shares"

  • Column 1: Mirage Malware
  • Column 2: nw22305
  • Column 3: Detects malicious outbound traffic due to installation of Mirage malware. The HTTP_lua parser is a required dependency.

    Reference this RSA Link blog post from RSA Research for more details about this threat:
    https://community.rsa.com/community/products/netwitness/blog/2015/11/10/detecting-mirage-variants-using-security-analytics
  • Column 4: packet
  • Column 5: "command and control":"data encoding", "command and control":"standard application layer protocol", "command and control":"custom cryptographic protocol", "exfiltration":"data encrypted", "exfiltration":"exfiltration over command and control channel"

  • Column 1: Misleading File Extension
  • Column 2: misleading_file_extension
  • Column 3: Misleading file extension can be an indication of someone pretending to be an authorized file extension in order to gain access or to gain greater privileges than authorized.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = misleading file extension
  • Column 4: endpoint
  • Column 5: "defense evasion":"masquerading"

  • Column 1: Modifies Registry Using Command-Line Registry Tool
  • Column 2: modifies_registry_using_command-line_registry_tool
  • Column 3: Modifying registry using command-line registry tool can be an indication of adversaries trying to interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = modifies registry using command-line registry tool
  • Column 4: endpoint
  • Column 5: "defense evasion":"modify registry"

  • Column 1: Modifies Run Key
  • Column 2: modifies_run_key
  • Column 3: Modifying run key can be an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = modifies run key
  • Column 4: endpoint
  • Column 5: "persistence":"registry run keys / startup folder"

  • Column 1: Modifies Shell-Open-Command File Association
  • Column 2: modifies_shell-open-command_file_association
  • Column 3: File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access. Modifying shell-open-command file association can be an attempt to execute arbitrary commands in order to maintain persistence and remain undetected.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = modifies shell-open-command file association
  • Column 4: endpoint
  • Column 5: "persistence":"change default file association"

  • Column 1: Mshta Runs Command Prompt
  • Column 2: mshta_runs_command_prompt
  • Column 3: Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run a command prompt.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = mshta runs command prompt
  • Column 4: "execution":"mshta", "defense evasion":"mshta"

  • Column 1: Mshta Runs Powershell
  • Column 2: mshta_runs_powershell