Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2016 > March
2016

What would you call a piece of code or a script that runs on a server and enables remote server administration?  If you answered – “Webshell” – you would be correct.  While often used for legitimate administrative purposes, it is also a favored technology used by attackers for illegitimate purposes.  Attackers often infiltrate externally accessible Web servers at their target organizations with Webshells to gain an initial foothold as well as to setup a waypoint in the organization’s DMZ to support the eventual exfiltration of data.

 

Successfully using a Webshell as a key step in a targeted attack largely rests on the fact that most organizations do not have sufficient – or often any – visibility into their network sessions, thus their ability to effectively detect and understand that something nefarious is going on is extremely limited.  Many organizations still rely on traditional security technologies such as anti-virus, firewalls, and log-centric SIEMs to prevent and detect the use of Webshells and other common attacker techniques and technologies.  Of course, attackers know about such common defensive techniques and respond by hiding their payloads and commands from them.

 

What should organizations do to combat Webshells (and other hard to find attacker technologies in general)?  Increase the depth of their security visibility using technologies that collect relevant data and provide analytics covering all stages of an attack:  Delivery, Exploit & Installation, Command & Control, & Action.

 

In the particular case of WebShells full network packet capture provided by products such as RSA Security Analytics, provides the primary visibility needed to detect and understand WebShells and the impact they have had.  With full-packet capture the detection focused analytic algorithms and the human security analysts alike are provided maximum visibility into the Webshell’s initial entry vector, its command-and-control (C2) activity, as well as any data exfiltration that has occurred from the time the Webshell was successfully installed.

 

Interested in learning more?  RSA has a new series of content focused on showing organizations how to more easily detect and respond to more advanced threats, such as those using WebShells.  The bottom line is it is critical to deepen your security visibility or you literally won’t know what hit you.

 

He can be followed on Twitter @jmatthewg1234

Ishtiyaq Shah

Use cases - ESA Rules

Posted by Ishtiyaq Shah Employee Mar 23, 2016

Here in this space an attempt is being made to list some Use cases, custom as well as Out of box (Live) for their effectiveness and usage in Threat monitoring within an enterprise.

 

    

  1. S.No

Use case

RSA OOB Rule

Description

Event Sources

1

DNS Amplification

esa000013

Detects when a UDP destination port is 53 and the total size of the network session packets is more than 4000 bytes.
Both port and packet size are configurable.

Network Sessions
Log Events

2

DNS Lookups From the Same Host

esa000048

Detects 50 DNS lookups in 60 seconds from the same IP source. Both the time window and the number of lookups are configurable.

Network Sessions
Or 

Log Events

3

Non DNS Traffic on UDP Port 53 containing Exécutable

esa000054

Detects non-DNS traffic over TCP or UDP destination port 53 containing an executable. You can configure the list of executable file extensions and ports for DNS traffic.

Network Sessions

4

Rogue DHCP Server Detected

esa000150

Detects traffic sourced on UDP 67/68 that is not a legitimate DHCP server, based on a whitelist of IP addresses that is configurable.
Prerequisites for logs are: Meta-keyprotocol must be indexed in table-map.xml andindex-concentrator-custom.xml.

List configuration
Network Sessions
Log Events
Threat Intelligence
Feeds

5

Client Using Multiple DHCP Servers

esa000152

Detects a connection from a single IP address to 2 or more destination IP addresses on UDP 67 or UDP 68, within 10 minutes. The time period is configurable.
Prerequisites for logs are: Meta-key 'protocol' must be indexed in table-map.xml and index-concentrator-custom.xml.

Network Sessions
Log Events
Threat Intelligence
Feeds

6

Direct Login by a Guest Account

esa000002

Detects a successful interactive logon or a successful remote interactive logon to a guest account on a Microsoft Windows host.

Active Directory Log Events
User Activity logs

    

7

Direct Login to an Administrative Account

esa000028

Detects a successful interactive logon or a successful remote interactive logon to an administrative account on a Microsoft Windows host.


Active Directory Log Events

Whitelist

Data Enrichment feeds

8

NTDSXTRACT Tool Download

esa000142

Detects an internal network session download of NTDSXTRACT, a tool framework for extracting data from the active directory database file NTDS.DIT.
At least one network parser that supports the meta keys 'action' and 'filename' is required. Parsers include HTTP, FTP, IRC and NFS.

Network Sessions
Active Directory Logs
Out of box Parsers

Threat Intelligence Feed

9

WebSploit Tool Download

esa000108

Detects WebSploit tool download from sourceforge.net.
You must enable an HTTP parser and its dependencies onto the Decoder.
HTTP_lua is recommended.

Network Sessions

Out of box Parsers

Threat Intelligence Feed

10

Aggressive Internal Web Portal Scan

esa000102

Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of TCP/80 and TCP/443.
Source & Destination IPs must be internal addresses according to the RFC-1918 specification.
The list of ports, time window, and target host count are configurable.

Network Sessions
Log Events
Threat Intelligence
Feeds

    

11

BYOD Mobile Web Agent Detected

esa000117

Detects a web-browsing agent for a mobile device.
To configure the rule, specify the list of unauthorized browser agents and remove any mobile agents that are authorized from the list.
The rule is triggered when an employee uses an unauthorized device on the network.
"In addition to the list of unauthorized browser agents, the following parameters are also configurable:
The number of connections allowed per source before the alert is triggered. Default is 1.
The time window within which the unauthorized use takes place. The default is 600 seconds. "


Web proxy/Server Log Events

Whitelist User Agents

Enable extended web logs on Web server

Data Enrichment feeds

Network Session

Event Log data

12

Aggressive Internal Database Scan

esa000104

Detects a single host making connection attempts to 100 or more unique IP addresses within 1 minute over any combination of the following ports:

TCP/1433
UDP/1434
TCP/3306
TCP/5432
TCP/3351
TCP/1521
Source & Destination IP addresses must be internal addresses according to the RFC-1918 specification. The time window, list of port numbers and target host count are configurable.

Network Sessions
DN Audit Logs
Out of box Parsers

Threat Intelligence Feed

list Known DB servers

    

13

Insider Threat Mass Audit Clearing

esa000116

Detects when the same user logs on multiple times to multiple Windows machines, then clears the audit log on each machine within a configurable time frame.


Web proxy/Server Log Events

Whitelist User Agents

Enable extended web logs on Web server

Data Enrichment feeds

Network Session

Event Log data

14

Internal Data Posting to 3rd party sites

esa000089

Detects when:
an internal IP address A receives an amount of data greater than 5 MB from internal IP address B,
and then, within the specified time interval, IP A posts data to external 3rd party sites
.

Network Flow
Network Session

User activity Logs

FTP parsers

Threat intelligence

White and black list approved FTP domains

15

Low Orbit on Cannon DoS Tool Download

esa000107

Detects Low Orbit Ion Cannon DoS tool download from sourceforge.net.
You must enable an HTTP parser and its dependencies onto the Decoder.
HTTP_lua is recommended.

Network Session
Event Logs

16

Stealth Email Use with Large Session

esa000128

Detects a session larger than 1 MB to the following stealth mail services:

Stealth Email - https://stealth-email.com/
Hush Mail - https://www.hushmail.com/
Neomailbox - https://www.neomailbox.com
Cryptoheaven - https://www.cryptoheaven.com
S-mail - https://mail.s-mail.com/
The minimum session size, number of connections, and time window are configurable.

Network Sessions
Mail Server Audit Logs
Out of box Parsers

Threat Intelligence Feed

List approved mail server domains

Lateral movement is a part of the kill chain. After an attack has taken place, which allows entry into a company’s internal environment, lateral movement is the process of elevating credentials and gaining access to additional internal systems. This document describes a package of content that contains a set of rules to monitor Windows systems for lateral movement.

Filter Blog

By date: By tag: