Skip to content
  • There are no suggestions because the search field is empty.

RSA Application Rules- 9

  • Column 1: Runs Network Connectivity Tool
  • Column 2: runs_network_connectivity_tool
  • Column 3: Running network connectivity tool can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = runs network connectivity tool
  • Column 4: endpoint
  • Column 5: "discovery":"remote system discovery"

  • Column 1: Runs One Letter Executable
  • Column 2: runs_one_letter_executable
  • Column 3: A single letter file can be a potential indicator of malware or an attacker tool. When an attacker has remote access to a machine, they want to limit the amount of typing needed and will at times name a script or program to a single letter to allow quicker access.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs one letter executable
  • Column 4: endpoint
  • Column 5: "execution":""

  • Column 1: Runs One Letter Script
  • Column 2: runs_one_letter_script
  • Column 3: A single letter file can be a potential indicator of malware or an attacker tool. When an attacker has remote access to a machine, they want to limit the amount of typing needed and will at times name a script or program to a single letter to allow quicker access.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs one letter script
  • Column 4: endpoint
  • Column 5: "execution":"scripting"

  • Column 1: Runs Ping
  • Column 2: runs_ping
  • Column 3: Ping is used to see if a host is reachable on a network.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = runs ping
  • Column 4: endpoint
  • Column 5: "discovery":"system network connections discovery"

  • Column 1: Runs Powershell
  • Column 2: runs_powershell
  • Column 3: Common cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = runs powershell
  • Column 4: endpoint
  • Column 5: "execution":"powershell"

  • Column 1: Runs Powershell Bypassing Execution Policy
  • Column 2: runs_powershell_bypassing_execution_policy
  • Column 3: Running powershell bypassing execution policy will ignore the execution policy restrictions to run commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs powershell bypassing execution policy
  • Column 4: endpoint
  • Column 5: "execution":"powershell"

  • Column 1: Runs Powershell Decoding Base64 String
  • Column 2: runs_powershell_decoding_base64_string
  • Column 3: Running powershell decoding base64 string can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs powershell decoding base64 string
  • Column 4: endpoint
  • Column 5: "execution":"powershell"

  • Column 1: Runs Powershell Defining Function
  • Column 2: runs_powershell_defining_function
  • Column 3: Running powershell defining functions can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs powershell defining function
  • Column 4: endpoint
  • Column 5: "execution":"powershell"

  • Column 1: Runs Powershell Downloading Content
  • Column 2: runs_powershell_downloading_content
  • Column 3: Attackers mainly use PowerShell as a downloader on windows based systems. Running powershell downloading content can be an indication of someone trying to download malicious payloads from internet to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs powershell downloading content
  • Column 4: endpoint
  • Column 5: "execution":"powershell"

  • Column 1: Runs Powershell Invoke-Mimikatz Function
  • Column 2: runs_powershell_invoke-mimikatz_function
  • Column 3: Mimikatz has become an extremely effective attack tool against Windows clients. Running powershell Invoke-Mimikatz function is an indication of someone trying to use Mimikatz to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * ioc = runs powershell invoke-mimikatz function
  • Column 4: endpoint
  • Column 5: "execution":"powershell"

  • Column 1: Runs Powershell Memory Stream Function
  • Column 2: runs_powershell_memory_stream_function
  • Column 3: Running powershell memory stream function can be an indication of someone trying to execute malicious I/O commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs powershell memory stream function
  • Column 4: endpoint
  • Column 5: "execution":"powershell"

  • Column 1: Runs Powershell ShellExecute Function
  • Column 2: runs_powershell_shellexecute_function
  • Column 3: Running powershell ShellExecute function can be an indication of someone trying to execute malicious shell code to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs powershell shellexecute function
  • Column 4: endpoint
  • Column 5: "execution":"powershell"

  • Column 1: Runs Powershell Using Encoded Command
  • Column 2: runs_powershell_using_encoded_command
  • Column 3: Running powershell using encoded command can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs powershell using encoded command
  • Column 4: endpoint
  • Column 5: "execution":"powershell"

  • Column 1: Runs Powershell Using Environment Variables
  • Column 2: runs_powershell_using_environment_variables
  • Column 3: Running powershell using environment variables can be an indication of someone trying to run malicious commands with particular variables like path to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs powershell using environment variables
  • Column 4: endpoint
  • Column 5: "execution":"powershell"

  • Column 1: Runs Powershell With Hidden Window
  • Column 2: runs_powershell_with_hidden_window
  • Column 3: Running powershell with hidden window can be an indication of someone trying to run malicious commands in stealth mode so that powershell window is not visible to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs powershell with hidden window
  • Column 4: endpoint
  • Column 5: "execution":"powershell"

  • Column 1: Runs Powershell With HTTP Argument
  • Column 2: runs_powershell_with_http_argument
  • Column 3: Running powershell with HTTP argument can be an indication of someone trying to connect and render malicious commands/downloaders from internet, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs powershell with http argument
  • Column 4: endpoint
  • Column 5: "execution":"powershell"

  • Column 1: Runs Ps
  • Column 2: runs_ps
  • Column 3: Can be used to access process status information.

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * analysis.file = runs ps
  • Column 4: endpoint
  • Column 5: "discovery":"process discovery"

  • Column 1: Runs PSEXEC On Remote System And Silently Accepts User License
  • Column 2: runs_psexec_on_remote_system_and_silently_accepts_user_license
  • Column 3: Running PSEXEC on remote system and silently accepting user license can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs psexec on remote system and silently accepts user license
  • Column 4: endpoint
  • Column 5: "execution":"service execution"

  • Column 1: Runs PSEXEC On Remote System As SYSTEM User
  • Column 2: runs_psexec_on_remote_system_as_system_user
  • Column 3: Running PSEXEC on remote system as SYSTEM user can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

    VERSIONS SUPPORTED
    * NetWitness Platform 11.3 and higher

    DEPENDENCIES
    * NetWitness Endpoint Server

    GENERATED META KEYS
    * boc = runs psexec on remote system as system user
  • Column 4: endpoint
  • Column 5: "execution":"service execution"

  • Column 1: Runs Registry Tool
  • Column 2: runs_registry_tool
  • Column 3: Running the registry tool can be an indication of malware changing settings>                                                                           ,>BACK                                                                                                                                                                NEXT,