.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
NetWitness Hunting Guide - Page 7
NetWitness Hunting Guide - Appendix: Static Meta Values Continued
- Column 1: http.lua
- Column 2: analysis.service
- Column 3: http three headers
- Column 4: Sessions with three HTTP headers
- Column 5: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.
- Column 1: http.lua
- Column 2: analysis.service
- Column 3: http two headers
- Column 4: Sessions with two HTTP headers
- Column 5: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.
- Column 1: http.lua
- Column 2:
analysis.service
- Column 3:
http uncommon origin schema
- Column 4:
URL from origin header does not begin with http:// or https://
- Column 5:
Could indicate a possible malicious redirect.
- Column 1: http.lua
- Column 2: analysis.service
- Column 3: http webshell
- Column 4: Inbound HTTP session with characteristics of webshell activity
- Column 5: Webshells can be configured to use any of the HTTP Methods to execute commands and the commands themselves can be in HTTP headers, URL or body of a POST Method among others.
- Column 1: http.lua
- Column 2: analysis.service
- Column 3: http webshell error
- Column 4: Inbound HTTP session with characteristics of webshell activity resulting in a non-200 server response
- Column 5: Webshells can be configured to use any of the HTTP Methods to execute commands and the commands themselves can be in HTTP headers, URL or body of a POST Method among others.
- Column 1: http.lua
- Column 2: analysis.service
- Column 3: http webshell no error
- Column 4: Inbound HTTP session with characteristics of webshell activity resulting in a 200 server response
- Column 5: Webshells can be configured to use any of the HTTP Methods to execute commands and the commands themselves can be in HTTP headers, URL or body of a POST Method among others.
- Column 1: http.lua
- Column 2: analysis.service
- Column 3: http wget direct to ip
- Column 4: The wget application retrieving a resource from an IP address and not a hostname
- Column 5: User agent analysis helps establish interactive sessions versus mechanical sessions and aid in identifying a malware behavior's bidirectional communications
- Column 1: http.lua
- Column 2: analysis.service
- Column 3: http with base64
- Column 4: HTTP with Base64 encoded data in the body
- Column 5: This is a common technique to obfuscate binary or cleartext data being sent back to a command and control channel
- Column 1: http.lua
- Column 2: analysis.service
- Column 3: http with binary
- Column 4: HTTP with binary data in the body
- Column 5: This is a common technique to obfuscate data being sent back to a command and control channel
- Column 1: http.lua
- Column 2: analysis.service
- Column 3: watchlist file extension
- Column 4: Extension watchlist
- Column 5: These executable extensions are commonly used with malware. For example, .exe, .php, .zip
- Column 1: http.lua
- Column 2: analysis.service
- Column 3: watchlist file fingerprint
- Column 4: File type watchlist
- Column 5: The executable file formats are commonly used in malware. For example, windows executables and JARs
- Column 1:
http.lua
- Column 2: analysis.service
- Column 3:
websocket
- Column 4:
Websocket session
- Column 5:
Some customers need to examine websocket traffic.
- Column 1:
http.lua
- Column 2:
ioc
- Column 3:
apache struts CVE-2017-12611 attempt
- Column 4:
The vulnerability is due to the unsafe use of writable expression values in Freemarker content that is processed by the affected application.
- Column 5:
Remote code execution allows an attacker to gain access to and control the victim machine.
- Column 1:
http.lua
- Column 2:
ioc
- Column 3:
apache struts exploit attempt
- Column 4:
An attempt to exploit Apache Struts vulnerability CVE-2017-5638 has been detected.
- Column 5: Remote code execution allows an attacker to gain access to and control the victim machine.
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt ActiveMonk UA
- Column 4: Known bad user-agent local string match, "Mozilla/4%.0 (compatible; MSIE 6%.0; Windows NT 5%.1; SV1; Maxthon; TERA"
- Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of known APT IoCs is indicative of compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt Deep Panda C2
- Column 4: Known Threat Actor "'Deep Panda" Command and Control indicators of compromise
- Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of APT-indicators of compromise is indicative of active compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt Foxy RAT
- Column 4: Foxy remote access trojan indicator of compromise
- Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of known APT IoCs is indicative of compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt Lurid RAT
- Column 4: Lurid remote access trojan indicator of compromise
- Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of APT-indicators of compromise is indicative of active compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt MiniASP
- Column 4: MiniASP remote access trojan indicator of compromise
- Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of APT-indicators of compromise is indicative of active compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt NetTravler RAT
- Column 4: NetTraveler remote access trojan indicator of compromise
- Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of known APT IoCs is indicative of compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt NFlog Rat
- Column 4: Known bad user-agent indicator. User-agent local string, "www"
- Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of known APT IoCs is indicative of compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt NFlog Rat
- Column 4: NFLog remote access trojan indicator of compromise
- Column 5: Advanced threat actor camp , , techniques and procedures. The presence of known APT IoCs is indicative of compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt PhotoASP RAT
- Column 4: Known bad user-agent local string match ("Mozilla/4.0") paired with no referrer and a filename of "PHOTO.ASP"
- Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of known APT IoCs is indicative of compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt PNG Rat
- Column 4: Known bad user-agent indicator. User-agent local string, "Windows+NT+5.1"
- Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of known APT IoCs is indicative of compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt Sykipot Rat
- Column 4: Known bad user-agent indicator. User-agent local string, "HTTP-GET"
- Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of known APT IoCs is indicative of compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt WebC2 CS
- Column 4: Known bad user-agent local string match ("Win32") coupled with and a unique query identifier
- Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of known APT IoCs is indicative of compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: apt ZipToken UA Post
- Column 4: Known bad user-agent local string match ("HttpBrowser/1.0")coupled with POST method
- Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of known APT IoCs is indicative of compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: Crimeware Black Hole Exploit Kit
- Column 4: Black Hole exploit kit indicator of compromise
- Column 5: The presence of an exploit kit is indicative of potential compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: Crimeware Zeus
- Column 4: Zeus indicators of compromise
- Column 5: The presence of crimeware is indicative of active infection
- Column 1: http.lua
- Column 2: ioc
- Column 3: Crimeware Zeus Knownbad
- Column 4: Known Zeus indicators of compromise
- Column 5: The presence of crimeware is indicative of active infection
- Column 1: http.lua
- Column 2: ioc
- Column 3: http tunnel rat
- Column 4: HTTP Tunnel remote access trojan indicator of compromise
- Column 5: The presence of a remote access trojan is indicative of active compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: java exe
- Column 4: Outbound Java Virtual Machine web requests for a windows executable
- Column 5: The Java Virtual Machine is a popular vector for malware delivery. All outbound JVM and GET methods should be analyzed.
- Column 1: http.lua
- Column 2: ioc
- Column 3: java pdf
- Column 4: Outbound Java Virtual Machine web requests for a PDF file
- Column 5: The Java Virtual Machine is a popular vector for malware delivery. All outbound JVM and GET methods should be analyzed.
- Column 1: http.lua
- Column 2: ioc
- Column 3: Known Bad File Name
- Column 4: Known bad filename watchlist
- Column 5: Malicious filenames used in previous attack campaigns that can be indicative of active compromise
- Column 1: http.lua
- Column 2: ioc
- Column 3: Known Bad UA CredentialLeak
- Column 4: Known bad user-agent indicator. User-agent local string , , , , , , , , ,