Skip to content
  • There are no suggestions because the search field is empty.

RSA Application Rules- 6

  • Column 1: Non-Standard Port Use - DHCP
  • Column 2: nw60035
  • Column 3: Identifies dhcp traffic over a port that is not typically used for dhcp
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - FTP
  • Column 2: nw60015
  • Column 3: ftp over ports other than TCP 21
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - H323
  • Column 2: nw60095
  • Column 3: Identifies h323 traffic over a port that is not typically used for h323.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - IRC
  • Column 2: nw60110
  • Column 3: Identifies irc traffic over a port that is not typically used for irc.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - NetBios
  • Column 2: nw60060
  • Column 3: Identifies netbios traffic over a port that is not typically used for netbios.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - NNTP
  • Column 2: nw60050
  • Column 3: Identifies nntp traffic over a port that is not typically used for nntp.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - POP3
  • Column 2: nw60045
  • Column 3: Identifies pop3 traffic over a port that is not typically used for pop3.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - RIP
  • Column 2: nw60080
  • Column 3: Identifies rip traffic over a port that is not typically used for rip.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - RPC
  • Column 2: nw60055
  • Column 3: Identifies rpc traffic over a port that is not typically used for rpc.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - RTP
  • Column 2: nw60100
  • Column 3: Identifies rto traffic over a port that is not typically used for rtp.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - SIP
  • Column 2: nw60105
  • Column 3: Identifies sip traffic over a port that is not typically used for sip
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - SMB
  • Column 2: nw60065
  • Column 3: Identifies smb traffic over a port that is not typically used for smb.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - SMTP
  • Column 2: nw60030
  • Column 3: Identifies smtp traffic over a port that is not typically used for smtp.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - SNMP
  • Column 2: nw60070
  • Column 3: Identifies snmp traffic over a port that is not typically used for snmp.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - SSH
  • Column 2: nw60025
  • Column 3: Identifies ssh traffic over a port that is not typically used for ssh.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - SSL
  • Column 2: nw60075
  • Column 3: Identifies ssl traffic over a port that is not typically used for ssl.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - TDS
  • Column 2: nw60085
  • Column 3: Identifies tds traffic over a port that is not typically used for tds.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - Telnet
  • Column 2: nw60010
  • Column 3: telnet over ports other than TCP 23
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - TFTP
  • Column 2: nw60040
  • Column 3: Identifies tftp traffic over a port that is not typically used for tftp.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: Non-Standard Port Use - TNS
  • Column 2: nw60090
  • Column 3: Identifies tns traffic over a port that is not typically used for tns.
  • Column 4: packet
  • Column 5: "command and control":"uncommonly used port"

  • Column 1: NTDSXTRACT Tool Download
  • Column 2: nw110130
  • Column 3: Detects an internal network session download of NTDSXTRACT. NTDSXTRACT is a tool framework for extracting data from the active directory database file NTDS.DIT.At least one of the network parsers supporting meta of action and filename is required,which may include HTTP, FTP, IRC and NFS.
  • Column 4: packet
  • Column 5: "credential access":"credential dumping"

  • Column 1: NTP DDoS Attack 234-byte Request: Netflow
  • Column 2: nw50032
  • Column 3: 10.4 or higher.Detects UDP/123 traffic with a 234-byte payload over Netflow. This is indicative of an NTP request generated by a monlist command.
  • Column 4: log
  • Column 5: "impact":"network denial of service"

  • Column 1: NTP DDoS Attack 234-byte Request: Packets
  • Column 2: nw50022
  • Column 3: Detects UDP/123 traffic with a 234-byte payload. This is indicative of an NTP request generated by a monlist command.
  • Column 4: packet
  • Column 5: "impact":"network denial of service"

  • Column 1: NTP DDoS Attack 50-byte Request: Netflow
  • Column 2: nw50030
  • Column 3:
  • Column 4: endpoint
  • Column 5: "initial access":"spearphishing attachment"

  • Column 1: Office Application Injects Remote Process
  • Column 2: office_application_injects_remote_process
  • Column 3: A Microsoft Office application injecting a remote process may indicate a spearphishing attachment with a malicious payload. Process injection may enable an attacker to gain access to system resources or elevate privileges.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = office application injects remote process
  • Column 4: endpoint
  • Column 5: "initial access":"spearphishing attachment"

  • Column 1: Office Application Runs BITS
  • Column 2: office_application_runs_bits
  • Column 3: A Microsoft Office application running Background Intelligent Transfer Service (BITS) may indicate a spearphishing attachment with a malicious payload. BITS may be used to exfiltrate data outside the environment.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = office application runs bits
  • Column 4: endpoint
  • Column 5: "initial access":"spearphishing attachment"

  • Column 1: Office Application Runs Command Prompt
  • Column 2: office_application_runs_command_prompt
  • Column 3: A Microsoft Office application running the command prompt may indicate a spearphishing attachment with a malicious payload has been executed.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = office application runs command prompt
  • Column 4: endpoint
  • Column 5: "initial access":"spearphishing attachment"

, ,