Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Hunting Guide - Page 8

NetWitness Hunting Guide - Appendix: Static Meta Values Continued

  • Column 1: mail.lua
  • Column 2: analysis.service
  • Column 3: subject phish
  • Column 4: Phishing email subject text string match
  • Column 5: E-mail communication is a popular vector for malware delivery

  • Column 1: mail.lua
  • Column 2: analysis.service
  • Column 3: uncommon mail source
  • Column 4: Mail not from popular Email organization sources
  • Column 5: E-mail communication is a popular vector for malware delivery

  • Column 1: MSU_rat.lua
  • Column 2: ioc
  • Column 3: apt MSU RAT
  • Column 4: Detects a 13 byte header at the beginning of a request stream utilizing a XOR key
  • Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of APT-indicators of compromise is indicative of active compromise

  • Column 1: plugx.lua
  • Column 2: ioc
  • Column 3: apt PlugX
  • Column 4: PlugX remote access trojan indicator of compromise
  • Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of APT-indicators of compromise is indicative of active compromise

  • Column 1: plugx.lua
  • Column 2: ioc
  • Column 3: apt PlugX possible
  • Column 4: Potential PlugX remote access trojan indicator of compromise
  • Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of APT-indicators of compromise is indicative of active compromise

  • Column 1: poison_ivy.lua
  • Column 2: ioc
  • Column 3: possible poison ivy beacon
  • Column 4: 256 byte beacon utilized by Poison Ivy
  • Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of APT-indicators of compromise is indicative of active compromise

  • Column 1: poison_ivy.lua
  • Column 2: ioc
  • Column 3: possible poison ivy handshake
  • Column 4: 256 byte authentication exchange utilized by Poison Ivy
  • Column 5: Advanced threat actor campaigns use similar tools, techniques and procedures. The presence of APT-indicators of compromise is indicative of active compromise

  • Column 1: rdp.lua
  • Column 2: analysis.service
  • Column 3: AUTODETECT
  • Column 4: Remote Desktop Protocol local connection type Autodetect
  • Column 5: Microsoft's Remote Desktop Protocol gives an attacker rapid access to an environment. RDP traffic is commonly abused by attackers. All RDP traffic inbound should be reviewed with priority.

  • Column 1: rdp.lua
  • Column 2: analysis.service
  • Column 3: High-Speed Broadband
  • Column 4: Remote Desktop Protocol local connection type High-Speed broadband
  • Column 5: Microsoft's Remote Desktop Protocol gives an attacker rapid access to an environment. RDP traffic is commonly abused by attackers. All RDP traffic inbound should be reviewed with priority.

  • Column 1: rdp.lua
  • Column 2: analysis.service
  • Column 3: LAN
  • Column 4: Remote Desktop Protocol local connection type Local Area Network
  • Column 5: Microsoft's Remote Desktop Protocol gives an attacker rapid access to an environment. RDP traffic is commonly abused by attackers. All RDP traffic inbound should be reviewed with priority.

  • Column 1: rdp.lua
  • Column 2: analysis.service
  • Column 3: Low-Speed Broadband
  • Column 4: Remote Desktop Protocol local connection type Low-Speed Broadband
  • Column 5: Microsoft's Remote Desktop Protocol gives an attacker rapid access to an environment. RDP traffic is commonly abused by attackers. All RDP traffic inbound should be reviewed with priority.

  • Column 1: rdp.lua
  • Column 2: analysis.service
  • Column 3: Modem
  • Column 4: Remote Desktop Protocol local connection type Modem
  • Column 5: Microsoft's Remote Desktop Protocol gives an attacker rapid access to an environment. RDP traffic is commonly abused by attackers. All RDP traffic inbound should be reviewed with priority.

  • Column 1: rdp.lua
  • Column 2: analysis.service
  • Column 3: Satellite
  • Column 4: Remote Desktop Protocol local connection type Satellite
  • Column 5: Microsoft's Remote Desktop Protocol gives an attacker rapid access to an environment. RDP traffic is commonly abused by attackers. All RDP traffic inbound should be reviewed with priority.

  • Column 1: rdp.lua
  • Column 2: analysis.service
  • Column 3: WAN
  • Column 4: Remote Desktop Protocol local connection type Wide Area Network
  • Column 5: Microsoft's Remote Desktop Protocol gives an attacker rapid access to an environment. RDP traffic is commonly abused by attackers. All RDP traffic inbound should be reviewed with priority.

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3:

    data push

  • Column 4:

    Only the PSH and ACK flags were seen in the session

  • Column 5:

    In combination with other meta values, could be interesting.


  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: first carve
  • Column 4: Outbound traffic with two streams and payload greater than zero
  • Column 5: Session attribute analysis further processes a dataset for inspection, discarding sessions that may not be useful for an active investigation

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: first carve not dns
  • Column 4: outbound traffic with two streams and payload greater than 0 and not service type 53
  • Column 5: Session attribute analysis further processes a dataset for inspection, discarding sessions that may not be useful for an active investigation

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: first carve not top 20 dst
  • Column 4: Outbound traffic with two streams and payload greater than zero and not a top 20 destination
  • Column 5: Session attribute analysis further processes a dataset for inspection, discarding sessions that may not be useful for an active investigation

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: high transmitted outbound
  • Column 4: Greater than 4 MB transmitted outbound during the session
  • Column 5: Large outbound data streams may be an indicator of active exfiltration

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3:

    host no response

  • Column 4:

    Only the SYN flag was seen in the session.

  • Column 5:

    Client attempted to connect to a server which did not respond.


  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3:

    host not listening

  • Column 4:

    Only the SYN and RST, or SYN, RST and ACK flags were seen in the session.

  • Column 5:

    Client attempted to connect to a server on a closed port.


  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: icmp large session
  • Column 4: Large ICMP sessions
  • Column 5: Session attribute analysis further processes a dataset for inspection, discarding sessions that may not be useful for an active investigation

  • Column 1:

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: medium transmitted outbound
  • Column 4: Between 1MB and 4MB transmitted outbound during the session
  • Column 5: Substantial outbound data streams may be an indicator of active exfiltration

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: outbound syslog
  • Column 4: Syslog destined for the internet
  • Column 5: Session attribute analysis further processes a dataset for inspection, discarding sessions that may not be useful for an active investigation

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: potential beacon
  • Column 4: Sessions assumed to be programmatic, nefarious communications
  • Column 5: The presence of a remote access trojan is indicative of active compromise

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: ratio high transmitted
  • Column 4: Between 75% and 100% of the session payload transmittedoutbound
  • Column 5: By examining technical aspects of captured sessions like the size and ratio of transmitted vs. received data, analyst attain a clearer view into their network

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: ratio low transmitted
  • Column 4: Between 0% and 25% of the session payload transmitted outbound
  • Column 5: By examining technical aspects of captured sessions like the size and ratio of transmitted vs. received data, analyst attain a clearer view into their network

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: ratio medium transmitted
  • Column 4: Between 26% and 74% of the session payload transmittedoutbound
  • Column 5: By examining technical aspects of captured sessions like the size and ratio of transmitted vs. received data, analyst attain a clearer view into their network

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: response no payload
  • Column 4: No payload was sent from the server to the client.
  • Column 5: Possibly indicative of exfiltration or beaconing.

  • Column 1: session_analysis.lua
  • Column 2: analysis.session
  • Column 3: session size 100-250k
  • Column 4: A total session size, request, plus response payload , , , , , , , , , , may indicate covert communication such as command/control or exfiltration., or two groups of four consecutive consonants or numerals
  • Column 5: DNS and domain names can be used for malicious purposes like pointing a Trojan at C2, port calculation, or signaling a malicious action

  • Column 1: tld.lua
  • Column 2: analysis.service
  • Column 3: hostname invalid
  • Column 4: Hostname violating RFC length and/or character restrictions
  • Column 5: DNS and domain names can be used for malicious purposes like pointing a Trojan at C2, port calculation, or signaling a malicious action.

  • Column 1: tld.lua
  • Column 2: analysis.service
  • Column 3: suspiciously named domain
  • Column 4: Domains that contain google, apple, etc and but do not end with .google.com or .apple.com
  • Column 5: DNS and domain names can be used for malicious purposes like pointing a Trojan at C2, port calculation>  , ,