RSA Application Rules- 8

• Column 1: Process Redirects to STDOUT or STDERR
• Column 2: process_redirects_to_stdout_or_stderr
• Column 3: This will return any process event that contains the launch arguments '2>&1' which will redirect STDOUT and STDERR.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 (Investigation Only)
  * NetWitness Platform 11.4 and higher (Full Support)
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = process redirects to stdout or stderr
• Column 4: endpoint
• Column 5: "execution":""

• Column 1: Proxy Anonymous Services
• Column 2: nw110065
• Column 3: Detects use of common proxy services using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.
• Column 4: log, packet
• Column 5: "command and control":"connection proxy"

• Column 1: Proxy Client Download
• Column 2: nw110070
• Column 3: Detects proxy client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required.
• Column 4: log, packet
• Column 5: "":""

• Column 1: Psexesvc Runs Powershell
• Column 2: psexesvc_runs_powershell
• Column 3: Psexesvc running powershell can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = psexesvc runs powershell
• Column 4: endpoint
• Column 5: "execution":"service execution"

• Column 1: Psexesvc Runs Scripting Engine
• Column 2: psexesvc_runs_scripting_engine
• Column 3: Psexesvc running scripting engine can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = psexesvc runs scripting engine
• Column 4: endpoint
• Column 5: "execution":"service execution"

• Column 1: Psexesvc Runs Shell Commands
• Column 2: psexesvc_runs_shell_commands
• Column 3: Psexesvc running shell commands can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = psexesvc runs shell commands
• Column 4: endpoint
• Column 5: "execution":"service execution"

• Column 1: qq download client
• Column 2: nw02615
• Column 3: detects download of the QQ chinese instant messaging client.
• Column 4: log, packet
• Column 5: "":""

• Column 1: Queries Cached Kerberos Tickets
• Column 2: queries_cached_kerberos_tickets
• Column 3: Querying cached kerberos tickets can be attempt to obtain account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = queries cached kerberos tickets
• Column 4: endpoint
• Column 5: "credential access":"credential dumping"

• Column 1: Queries Processes On Local System
• Column 2: queries_processes_on_local_system
• Column 3: Processing queries on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = queries processes on local system
• Column 4: endpoint
• Column 5: "discovery":"process discovery"

• Column 1: Queries Processes On Remote System
• Column 2: queries_processes_on_remote_system
• Column 3: Processing queries on remote system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = queries processes on remote system
• Column 4: endpoint
• Column 5: "discovery":"process discovery"

• Column 1: Queries Registry Using Command-Line Registry Tool
• Column 2: queries_registry_using_command-line_registry_tool
• Column 3: Querying registry using command-line registry tool can be an indication of adversaries trying to interact with the Windows Registry to gather information about the system, configuration, and installed software.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = queries registry using command-line registry tool
• Column 4: endpoint
• Column 5: "discovery":"query registry"

• Column 1: Queries Terminal Sessions
• Column 2: queries_terminal_sessions
• Column 3: Querying terminal sessions can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * analysis.file = queries terminal sessions
• Column 4: endpoint
• Column 5: "discovery":"system owner/user discovery"

• Column 1: Queries Users Logged On Local System
• Column 2: queries_users_logged_on_local_system
• Column 3: Querying users logged on local system can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = queries users logged on local system
• Column 4: endpoint
• Column 5: "discovery":"system owner/user discovery"

• Column 1: Queries Users Logged On Remote System
• Column 2: queries_users_logged_on_remote_system
• Column 3: Querying users logged on remote system can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = queries users logged on remote system
• Column 4: endpoint
• Column 5: "discovery":"system owner/user discovery"

• Column 1: RDP Launching Loopback Address
• Column 2: rdp_launching_loopback_address
• Column 3: This rule detects an attempt to setup RDP over an SSH tunnel. A compromised system could be using localhost to forward an RDP session to itself for use by an attacker.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 (Investigation Only)
  * NetWitness Platform 11.4 and higher (Full Support)
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = rdp launching loopback address
• Column 4: endpoint
• Column 5: "lateral movement":"remote desktop protocol"

• Column 1: RDP over Non-Standard Port
• Column 2: nw110050
• Column 3: Detects an RDP session over a non-standard port.
• Column 4: packet
• Column 5: "command and control":"uncommonly used port"

• Column 1: Record Screen Captures Using PSR Tool
• Column 2: record_screen_captures_using_psr_tool
• Column 3: Recording screen captures using PSR tool can be an indicator of an adversaries attempting to take screen captures of the desktop to gather information over the course of an operation.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = record screen captures using psr tool
• Column 4: endpoint
• Column 5: "collection":"screen capture"

• Column 1: Registers Shim Database
• Column 2:
• Column 3: endpoint
• Column 4: "execution":"regsvr32"

• Column 1: Regsvr32 Runs Powershell
• Column 2: regsvr32_runs_powershell
• Column 3: Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = regsvr32 runs powershell
• Column 4: endpoint
• Column 5: "execution":"regsvr32"

• Column 1: Regsvr32 Runs Rundll32
• Column 2: regsvr32_runs_rundll32
• Column 3: Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. This rule detects unusual behavior in the form of registration and run of a DLL in the same command.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = regsvr32 runs rundll32
• Column 4: endpoint
• Column 5: "execution":"regsvr32"

• Column 1: Regsvr32 Writes Executable
• Column 2: regsvr32_writes_executable
• Column 3: Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. Regsvr32 writing an executable could indicate delivery of a backdoor to the system.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 and higher
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = regsvr32 writes executable
• Column 4: endpoint
• Column 5: "execution":"regsvr32"

• Column 1: Remote Control Client Website
• Column 2: nw110075
• Column 3: Detects use of common remote client download sites. It uses a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.
• Column 4: log, packet
• Column 5: "persistence":"external remote services", "initial access":"external remote services"

• Column 1: Remote Directory Traversal
• Column 2: remote_directory_traversal
• Column 3: Adversary can enumerate remote share directory and files. This can be used for reconnaissance, discovery and collection.
  
  VERSIONS SUPPORTED
  * NetWitness Platform 11.3 (Investigation Only)
  * NetWitness Platform 11.4 and higher (Full Support)
  
  DEPENDENCIES
  * NetWitness Endpoint Server
  
  GENERATED META KEYS
  * boc = remote directory traversal
• Column 4: endpoint
• Column 5: "discovery":"file and directory discovery"

• Column 1: Remote Thread into LSASS
• Column 2: remote_thread_into_lsass
• Column 3: Detects when a process creates remote thread into target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping.
  
  DEPENDENCIES
  Log Parsers:
  * At least one of the Windows log device parsers
  Feeds:
  * Investigation
  
  GENERATED META KEYS
  * ioc = remote thread into lsass
  * inv.category = identity, threat
  * inv.context = attack phase ,