Skip to content
  • There are no suggestions because the search field is empty.

RSA Application Rule- 7

  • Column 1: Office Application Runs Powershell
  • Column 2: office_application_runs_powershell
  • Column 3: A Microsoft Office application running powershell may indicate a spearphishing attachment with a malicious payload has been executed.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = office application runs powershell
  • Column 4: endpoint
  • Column 5: "initial access":"spearphishing attachment"

  • Column 1: Office Application Runs Scripted FTP
  • Column 2: office_application_runs_scripted_ftp
  • Column 3: A Microsoft Office application running scripted FTP may indicate a spearphishing attachment with a malicious payload. FTP may be used to exfiltrate data outside the environment.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = office application runs scripted ftp
  • Column 4: endpoint
  • Column 5: "initial access":"spearphishing attachment"

  • Column 1: Office Application Runs Scripting Engine
  • Column 2: office_application_runs_scripting_engine
  • Column 3: A Microsoft Office application running a scripting engine may indicate a spearphishing attachment with a malicious payload has been executed.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = office application runs scripting engine
  • Column 4: endpoint
  • Column 5: "initial access":"spearphishing attachment"

  • Column 1: Office Application Runs Task Scheduler
  • Column 2: office_application_runs_task_scheduler
  • Column 3: A Microsoft Office application running a job or scheduling a task may indicate a spearphishing attachment with a malicious payload.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = office application runs task scheduler
  • Column 4: endpoint
  • Column 5: "initial access":"spearphishing attachment"

  • Column 1: Office Application Runs WMI Scripting Engine
  • Column 2: office_application_runs_wmi_scripting_engine
  • Column 3: A Microsoft Office application running Windows Management Instrumentation (WMI) may indicate a spearphishing attachment with a malicious payload.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = office application runs wmi scripting engine
  • Column 4: endpoint
  • Column 5: "initial access":"spearphishing attachment"

  • Column 1: Office Application Writes Executable
  • Column 2: office_application_writes_executable
  • Column 3: A Microsoft Office application writing an executable may indicate a spearphishing attachment with a malicious payload.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = office application writes executable
  • Column 4: endpoint
  • Column 5: "initial access":"spearphishing attachment"

  • Column 1: Only ACK Flag Set in Session Containing Payload
  • Column 2: nw30005
  • Column 3: Alerts when sessions containing payload have only ACK flag set.
  • Column 4: packet
  • Column 5: "impact":"endpoint denial of service"

  • Column 1: Opens Browser Process
  • Column 2: opens_browser_process
  • Column 3: When a file not digitally signed by apple opens broswer process it might indicate adversary effort for process injection into browser.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = opens browser process
  • Column 4: endpoint
  • Column 5: "collection":"man in the browser"

  • Column 1: Opens OS Process
  • Column 2: opens_os_process
  • Column 3: This may indicate Process injection which is a method of executing arbitrary code in the address space of a separate live process. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = opens os process
  • Column 4: endpoint
  • Column 5: "defense evasion":"process injection", "privilege escalation":"process injection"

  • Column 1: Opens Process
  • Column 2: opens_process
  • Column 3: This may indicate Process injection which is a method of executing arbitrary code in the address space of a separate live process. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = opens process
  • Column 4: endpoint
  • Column 5: "defense evasion":"process injection", "privilege escalation":"process injection"

  • Column 1: OS Process Runs Command Shell
  • Column 2: os_process_runs_command_shell
  • Column 3: This rule will return any filtered Windows OS process launching either 'cmd.exe' or 'powershell.exe'.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 (Investigation Only)
    * NetWitness Platform 11.4 and higher (Full Support)

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = os process runs command shell
  • Column 4: endpoint
  • Column 5: "execution":"powershell", "execution":"command-line interface"

  • Column 1: Outbound from Unsigned AppData Directory
  • Column 2: outbound_from_unsigned_appdata_directory
  • Column 3: This rule will return any unsigned filtered file name which has the source of a Windows "AppData" directory that establishes an outbound network connection.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 (Investigation Only)
    * NetWitness Platform 11.4 and higher (Full Support)

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = outbound from unsigned appdata directory
  • Column 4: endpoint
  • Column 5: "command and control":""

  • Column 1: Outbound from Unsigned Temporary Directory
  • Column 2: outbound_from_unsigned_temporary_directory
  • Column 3: This rule will return any unsigned filtered file name which has the source of a Windows "Temp" directory that establishes an outbound network connection.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 (Investigation Only)
    * NetWitness Platform 11.4 and higher (Full Support)

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = outbound from unsigned temporary directory
  • Column 4: endpoint
  • Column 5: "command and control":""

  • Column 1: Outbound from Windows Directory
  • Column 2: outbound_from_windows_directory
  • Column 3: This rule will return any unsigned filtered file name which has the source of the Windows root directory that establishes an outbound network connection.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 (Investigation Only)
    * NetWitness Platform 11.4 and higher (Full Support)

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = outbound from windows directory
  • Column 4: endpoint
  • Column 5: "command and control":""

  • Column 1: Outbound MS Outlook PFF file
  • Column 2: nw110085
  • Column 3: Detects outbound MS Outlook PFFs (Personal Folder Files). It does not differentiate between type of PFF (e.g.: .pst, .ost, .pab).NOTE: This depends on the Lua parser - fingerprint_pff.lua - for detecting PFF filetype. This parser needs to be enabled in order for this rule to work.
  • Column 4: log, packet
  • Column 5: "exfiltration":""

  • Column 1: Outbound Session Greater Than 1GB
  • Column 2: outbound_session_greater_than_1gb
  • Column 3: Detects and generates meta after a session with a high percentage of payload transmitted outbound reaches 1GB, 2GB and 3GB.

    VERSIONS SUPPORTED
    * 10.5 and higher

    CONFIGURATION
    By default, the Decoders capture buffer size is 32MB. If you ha , then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the NetWitness Suite UI > Administration > Services > Explore > decoder > config > capture.buffer.size.

    DEPENDENCIES
    Lua Parsers:
    * traffic_flow
    * session_analysis

    GENERATED META KEYS
    * boc = outbound session greater than 1gb
  • Column 4: packet
  • Column 5: "exfiltration":""