Ahmed Sonbol

What kind of meta is generated for commodity malware?

Blog Post created by Ahmed Sonbol Employee on Nov 30, 2016

Every week RSA FirstWatch collects hundereds of indicators of compromise from running different kinds of malware samples. They are used to update the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs


Those binaries are often referred to as commodity malware. They are not tied to an actor or a targeted campaign. Thus our team doesn’t use any specific meta values to tag them. In this blog post we will discuss how to find those IOCs using RSA NetWitness.

Let’s take Sality for example, a malware family that has been around for a very long time. Below is a screenshot that shows a Sality sample beaconing to its Command and Control server:


Recently we blogged about Dyzap malware and how to detect it using RSA NetWitness. This is how Dyzap beaconing activity looks:



In both cases the IOCs were added to the same FirstWatch feed(s) on Live. You can use the following meta keys and values in your app rules and reports:

  • threat.source = 'rsa-firstwatch'
  • threat.category = 'botnet'
  • threat.desc = 'c2-domain' or threat.desc = 'c2-ip'