Sean Ennis

RSA NetWitness Endpoint Insights - Scan Data Reports (Now in RSA Live!)

Blog Post created by Sean Ennis Employee on May 18, 2018

One of the major new features found in RSA NetWitness Platform version 11.1 is RSA NetWitness Endpoint Insights.  RSA NetWitness Endpoint Insights is a free endpoint agent that provides a subset of the full RSA NetWitness Endpoint 4.4 functionality as well as the ability to perform Windows log collection.  Details of how to configure RSA NetWitness Endpoint Insights can be found here: https://community.rsa.com/docs/DOC-86450

 

Additionally, as of RSA NetWitness Platform version 11.0, those with both RSA NetWitness Log & full RSA NetWitness Endpoint components have the option to start bringing the two worlds together under a unified interface.  This integration strengthens in version 11.1, and will continue to do so through version 11.2 and beyond.   Details of this integration can be found here: Endpoint Integ: RSA Endpoint Integration 

 

The 05/16/2018 RSA Live update added 4 new reports to take advantage of the Endpoint Scan Data collected by either the free RSA NetWitness Endpoint Insights agent, or the full RSA NetWitness Endpoint 4.4 meta integration (search "Endpoint" in RSA Live):

 

 

Use these reports to gain summarized visibility into endpoints, and to prioritize hunting efforts through outlier/stack analysis.  Outliers are usually worth gaining visibility into and understanding, particularly those related to persistence techniques and post-exploit activities commonly used by adversaries.  While not every outlier implies something bad is happening, this type of analysis tends to be fruitful, particularly as you increase the accuracy of rules over time through additional whitelist logic.

 

Report #1 Endpoint Scan Data Autorun and Scheduled Task Report (Outliers)

Outlier (bottom N) reporting of a subset of suspicious autoruns and scheduled task, containing the tables below.

 

Rarest Autoruns/Tasks in AppData/X and ProgramData root folders across environment (rarity among locations commonly used by malware)

Rarest Autorun registry keys across the environment

Enumerate all Autoruns/Tasks Invoking shells or scripts  (some software will do this legitimately, but should be more or less consistent across an enterprise with common images - look specifically at the launch arguments for signs of bad behavior)

 

Eg. Rarest Autoruns invoking command shells table:

 

Report #2 Endpoint Scan Data File and Process Outliers Report

Predominately outlier (bottom N) reporting of contextually interesting processes, containing the tables below.

 

Rarest parent processes of powershell.exe and cmd.exe (this should be fairly uniform across an organization based on common software distribution - outliers become worth of a look)

Rarest child processes of web server processes (looking for anomalous process execution that could indicate presence of a webshell)

Rarest Code Signing Certificate CNs 

Windows Processes with Unexpected Parent Processes (based on https://digital-forensics.sans.org/media/poster_2014_find_evil.pdf), looking for non-typical mismatches of windows child/parent processes)

 

Eg. Rarest child processes of web server processes table:

 

Report #3 Endpoint Scan Data Host Report 

This report takes an endpoint hostname as input.  It will enumerate all scan data (eg. processes, autoruns, machine details, files, etc. collected over a period of time).  NOTE:  This data also lives directly in the NW 11.1 UI under the "Hosts" section in a much nicer layout if you want it at-a-glance.

 

Eg. Report alternative in 11.1 - Hosts view:

 

Eg. Endpoint Scan Data Host Report:

 

Report #4 Endpoint Machine Summary Report

A summary of the Endpoint deployment in an environment, including OS breakdown, and NW Endpoint version breakdown.  NOTE:  This data also lives directly in the NW 11.1 UI under the "Hosts" section if you want it at a glance:

 

Eg. Report alternative in 11.1 - Hosts view:

 

Eg. Endpoint Summary Report:

Outcomes