Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Michael Sconzo

RSA NetWitness Platform

12 Posts authored by: Michael Sconzo Employee

As threats evolve it's important for organizations to keep pace. As part of this trend many organizations are moving to Slack for team communications and to help drive a more efficient operational workflow. You can use the NetWitness Suite to help drive some of the changes as well. In this post we'll look at how you can send ESA alerts from NetWitness to Slack using the 'run script' capability.


First start off by configuring Incoming Webhooks in Slack, you'll need to take note of the URL, Username and Channel that you configured your webhook for. These allow the script to communicate from NetWitness to Slack.


Next, in NetWitness, go to Configure -> ESA Rules and select the rule you want to add Slack notifications for. Then click on Global Notifications, this will allow you to add the script, notification server, and template.


On the Output tab,click the + sign, and select Script. Paste the following into the box, give it a name and click save.





escapedText=$(echo $text | sed 's/"/\"/g' | sed "s/'/\'/g" )

json="{\"channel\": \"$channel\", \"username\":\"$username\", \"icon_emoji\":\"ghost\", \"attachments\":[{\"color\":\"danger\" , \"text\": \"$escapedText\"}]}"

/usr/bin/curl -s -d "payload=$json" "$webhook_url"

Click the Servers tab. If you don't have an entry for 'Script' then, click the + sign and add one and click save. This allows scripts to be run off the local host (ESA server).

Finally, you can use an existing template, but I created my own for simple alerting. You can do this by clicking on the Templates tab, then the + sign. Finally add the following information and click save.

Finally, select your new values in the rule, and deploy the modified ESA Rule(s).

Now you can enjoy your new Slack integration, and get alerts into various channels.

If you didn't catch Saket's update about Log Parsers, be sure to look at all the improvements they made. Here's the January roll-up of the new detection capabilities added via Live.



  • PVID
  • CustomTCP
  • Lua Mail Options file
  • rekaf
  • Cerber
  • Updates to the DynDNS parser


Feed Additions

  • Grizzly Steppe
  • Locky
  • Cerber
  • Schoolbell
  • Kingslayer
  • Tox Supernode



  • Added Tox traffic to the 'Encrypted Traffic' report
Michael Sconzo

Content Update

Posted by Michael Sconzo Employee Jan 13, 2017

Hopefully everybody had a great holiday season! I know we did, and we've been getting some new capabilities into Live.


For starters if you're running 10.6.2, you'll notice 2 new bundles. The Starter Pack for Logs, and the Starter Pack for Packets. These provide a great starting point to make sure you can find some interesting activity in 10.6.2 moving forward, and to insure that dashboards populate if you have the appropriate data coming into the NetWitness Suite.


App Rules, Parsers, and Reports.

  • CustomTCP Parser - Schoolbell Malware
  • Rekaf malware Parser - Schoolbell Malware
  • Updated Cerber Parser
  • Updates to the Dynamic DNS parser
  • Updated the Encrypted Traffic report with Tox protocol identification


Lots of Feed updates for: Locky, Cerber, Schoobell, Kingslayer, and Grizzly Steppe


In addition First Watch has been putting some great blog posts out there!


As usual more great stuff on the horizon.

Michael Sconzo


Posted by Michael Sconzo Employee Dec 30, 2016

The FirstWatch team is constantly tracking various threats and threat actors. As part of their diligence they monitor 3rd parties for various bulletins and reports. US-Cert recently issued a report detailing an intrusion into a political organization believed to have originated from a Nation-State attacker. This attacker named 'GRIZZLY STEPPE' is the subject of a Joint Analysis Report (JAR) between DHS and DNI. The report can be found here:


Additionally US-CERT has published an intrusion set that contains network indicators of compromise (IOCs) for said attack. RSA has added these indicators into the NetWitness Live platform (via Feeds) the said indicators can be located in NetWitness with the following custom pivot:

threat.source = “third party publicized iocs” && threat.category = “us-cert”


That said, some of the indicators as published are problematic, as they contain legitimate IPs that we believe to be benign triggers. We've identified the following IPs (at the minimum) as potential false positive indicators:



.Edu OWA Server:



Hits to any GRIZZLY STEPPE indicators should warrant additional investigation but hits to the above IP addresses should include the expectation of being false positives. None of these indicators have been removed from the feed since we don't want to alter 3rd party information and cause potentially useful context to be absent. 

Michael Sconzo

Content Update

Posted by Michael Sconzo Employee Dec 14, 2016

Here's the latest in Content Updates. They enable expanded malware detection as well as add additional features for DNS traffic analysis and analysis around domains.


Application Rule Updates

  • Dyzap - Related Blog post
  • Update of Cerber Ransomware rule


ESA Rule Updates

  • Update of Cerber Ransomware rule


Feed Updates


Parser Updates

  • DNS_lua
    • File detection in DNS traffic
    • Base64 and Base36 TXT record detection
  • TLD_lua options file
    • Ability to set local domains and TLDs for identification to whitelist the domains/TLDs from the logic that looks for suspicious domain structure.
Michael Sconzo

Content Update

Posted by Michael Sconzo Employee Nov 17, 2016

This is a pretty exciting content update! We've got some new stuff and some updated stuff.


First the updated:

  • Based on continued FirstWatch tracking of Cerber ransomware we've added some additional checks to both the Cerber App Rule, and the Cerber ESA rule. 


Now the new:

  • In my last post you saw that we released this Investigations Feed, our newest feed release is the companion Hunting Feed. This allows you more views into the types of features that network traffic and logs can generate to enable easier hunting.
  • We are also super excited to announce the available of the Hunting Pack! This content will work in 10.3 or greater (it requires Lua), and stay tuned to get it in bundle format with the release of 10.6.2. In addition the Hunting Guide is also available. Be sure to check out the Removal Guide if you're running the legacy IR content.


As always let us know what you think of the new content (and updates).

Michael Sconzo

Content Update

Posted by Michael Sconzo Employee Nov 4, 2016

We continue to be hard at work building out our fundamentals and delivering new content to help you detect new threats. This round we have some pretty exciting updates.


  • SchoolBell malware detection. SchoolBell was discovered by FirstWatch while looking into ShellCrew infrastructure. Stay tuned for for more information from FirstWatch, but enable the detection now.
  • We are also staying up-to-date on Cerber Ransomware as it continues to be a threat. We've updated the ESA rule to reflect a new behavior we picked up. In addition expect another blog post and updated threat information from FirstWatch.
  • Last but certainly not least, we're releasing the Investigation Feed (available in Live today)! Check out the doc for more information, screen shots, and how to be successful with the content. The goal of this feed is to help categorize content for easy reporting and investigations. This is an ongoing effort so be aware of constant updates.
Michael Sconzo

Nemucod and Locky

Posted by Michael Sconzo Employee Oct 3, 2016

Thanks to Kevin, Rajas, Angela, Ray, and Tophs for all the data, research, and output.


On the heels of RSA’s recent investigation into Cerber and Ransomware-as-a-Service (RaaS), additional consideration was given to other aspects of the ‘Crimeware circuit’ that might also be moving into a more commercialized role.  The Nemucod Trojan’s recent evolution as of August-September of 2016, may well provide another fitting example of actors adapting to market forces.  Not coincidentally, the JS/TrojanDownloader.Nemucod is currently being tracked as the second current ‘Top World Threat’ by ESET’s Virusradar[1], with an uptick of activity noted in the latter weeks of September.


Figure 1: Nemucod trending, courtesy of ESET Virusradar[2]


Historically speaking, Nemucod is a relatively well-known family that has often utilized malspam campaigns with the trojan delivering flavors of ransomware, ad-clickers, and other payloads.  However, it is important to note that these payloads were typically each delivered in time-serial linear fashion; this appears to have changed for Nemucod.  Evidence to this fact, analysis of detonated malware (from the week of September 19th) indicates that today’s Nemucod Trojan may be operating as an uncoupled delivery mechanism, capable of dropping not just Locky Ransomware, but a slew of other malicious portable executables (e.g., win32/kovter and win32/boaxxe).


Does this shift represent Nemucod actors adjusting their business model to better align core competencies with market demand, in this case for the distribution and delivery of a plethora of crimeware?  It’s possible and even likely, especially considering the evolution of EK delivered Cerber RaaS.  That being said, there is not yet a conclusive body of evidence today to prove or disprove the theory that Numecod actors have hung a shingle as distribution and delivery service providers.


Locky ransomware was one of the primary payloads noted in this investigation, and the executables observed demonstrate behavior consistent with Locky as described in previous security industry documentation.  As with previous Nemucod campaigns, the attack vector used for this campaign was mostly e-mail, a sample of which can be seen below.


Figure 5: E-mail attack vector.


Meet the Nemucod Trojan.  It is attached above as a non-password protected ZIP containing an HTA (HTML Application) file, which is encoded Javascript responsible for the delivery of one or more malicious payloads.  This type of executable inherently brings agility to the actor’s operating model, because encoded JavaScript can easily be modified to reconfigure malware-serving domains or IPs.  Add to this, the amount of bulletproof hosting available in countries with “less stringent laws and/or regulations”, and it becomes apparent how quickly Nemucod can launch or modify a campaign.


Another noteworthy observation was that community antivirus and malware detection capabilities typically mischaracterize Nemucod.  Rather then identifying the trojan as a downloader and delivery mechanism, the community often categorizes Nemucod by the payload it most commonly.  This fact has probably helped obscure Nemucod’s utility in delivering multiple flavors of ransom and other crimeware.


In the case of Locky, the delivered payload is a PHP interpreter, an additional PHP library, and then the download of a third PHP file, which uses a hard-coded encryption key to encrypt important files and rename them after its namesake, “.locky”.  Once this routine has completed, the software then proceeds to inform the user and demand ransom.


Figure 2: Maltego snapshot of Locky Infrastructure


Post-delivery, observed a number of Locky .PHP check-ins via HTTP posts direct to IPs connections (e.g., userinfo.php, data/info.php, submit.php, amin.php).  It is believed that these are initial check-ins by the ransomware once it has successfully installed itself.  There were also a number of expected callbacks to, a known command and control (c2) infrastructure for Locky.  In our malware samples, the majority of activity destined for, confirming it as a current Locky C2 site[3]


Figure 3: Sample of Locky’s direct-to-IP check-in, courtesy of VirusTotal[4]


In addition to this activity, a large number of callbacks were also seen heading to, which is likely critical infrastructure related to Locky malspam.  This was demonstrated by a number of SMTP formatted port 80 callbacks to known infrastructure as well as the large number of POP, IMAP, and other mail related domains hosted therein. itself hosts more than 50 mail related domains as well as a possible control panel (cpanel[.]rowz.[.]ru).  Similar provisioning was noted across other nodes within the Locky infrastructure.


Figure 4: Additional Locky domains


Also not surprising, there were a number of connections to dynamic DNS provider checkip[.]dyndns[.]org, who has been a player in too many past crimeware campaigns to list.


While little detail currently exists on most open source ransomware trackers with regard to Locky payment processing, several candidate hosts were noted during the course of this research.  First, in addition to it’s C2 role, was found to be hosting more than 400 possible payment site domains matching a [8-20char DGA].[key].win pattern. was also noted as a possible payment site host with a smaller number of [DGA].[DGA].top and [DGA].[DGA].pw patterned domains observed. 


There was also handful of traffic to Eastern European hosting services (e.g., Eurohoster hosting services out of Bulgaria) and privately registered Ukrainian infrastructure such as, identified as hosting obscure domains like m2.[]dreamboatoffer[.]com and horehjw19882[.]com, coincidentally owned by an IOS developer living in Ukraine.  It’s not possible at this stage to determine if these artifacts are indicative of compromised infrastructure hijacked for Locky or possibly something more closely related to the actual group of Locky actors.


Figure 4: VirusTotal site scoring[5]


Another aspect of the Nemucod investigation revealed that many of the ‘Locky’ characterized hashes were false positive identifications (by several algorithms within VirusTotal) that actually demonstrated behavior more consistent with malvertising.  These hashes made direct callbacks to Akamai CDN infrastructure (e.g., and are likely further examples of Nemucod’s evolved ability for multiple payloads and more importantly achieving multiple revenue streams.



While no significantly new technical understanding was developed during the course of this research.  RSA was able to identify several Nemucod and Locky behaviors that are currently being evaluated for post-infection signature based detection in RSA Security Analytics (i.e. NetWitness).  Additionally, the RSA FirstWatch Exploit Domain and FirstWatch Exploit IP threat intelligence feeds were updated as of September 28th, 2016 to include more than 3000 unique indicators of compromise (IOCs) for the Nemucod trojan as well as Locky ransomware it currently delivers.


In addion, a new App Rule is also available in Live. The query is:

rule="action = 'post' && = 'http direct to ip request' && content = 'application/x-www-form-urlencoded' && direction='outbound' && (extension = 'php' || extension = 'cgi' )

This rule should have a low false-positive rate, if you find anything to the contrary please let us know.


Perhaps more important than the technical discoveries though is the additional evidence this research contributes to the theory that crimeware actors are adopting commercially accepted market principles to refine their business models in order to increase profits and diversify revenue streams.








Michael Sconzo

The Evolution of Cerber

Posted by Michael Sconzo Employee Sep 27, 2016

Here's a great bit of research by RSA Research along with associated Live content by the Content team.



Ransomware-as-a-Service (RaaS) offerings first emerged around May of 2015, and removes technical hurdles for would-be cyber criminals by providing configurable components that can be mixed and matched as needed based upon the runners target demographic, support services (e.g., payment processing) and even customer service [1]

Subsequently, ransomware-derived revenues have skyrocketed over the past year as operators have honed and refined their business approach.  As of summer ’16, it is widely believed that Ransomware represents the most profitable malware market to date for cyber criminals and dark web operators. 

Cerber pay screen


Cerber is perhaps the most profitable of recent ransomware campaigns, and recent estimates based upon analysis of statistics from counter-compromised affiliate panels project operator revenues at $2.5M for this year, based on a 40% cut of overall revenues[2].



The goal of this research effort is to investigate recent Cerber campaigns, identify deployment models and infrastructure, and create content/innovation that may aid in the detection of this ransomware. This is done by detonating multiple samples, analyzing the malware callbacks, and enumerating associated networks, behavior, and infrastructure. In order to accomplish the objective several tools where used: Maltego, PassiveTotal, VirusTotal, Malware-Traffic-Analysis, Google and others.



Research and enrichment of the core dataset, produced significant insight into 5 distinct Cerber campaigns, including what we believe to be an alpha or pilot run spanning 5/11 – 6/1, two phishing-based campaigns in July, and two Exploit Kit (EK) based campaigns in August and into early September, which RSA Research believes consistent with the purported improvements and timing for EK-delivery methods.


For the phishing delivered campaigns, RSA researchers identified a clear Domain Generating Algorithm (DGA) and Top Level Domain (TLD) pattern, which characterizes probable payment processing sites.  Based on a number of shared indicators (IPs, SSL certificates, and Domain registrations) that were correlated to previous Torrentlocker/Crypt0L0cker ransomware and Nuclear EK campaigns as well as a number of Alien Vault Open Threat Exchange postings[3], it is believed that these campaigns delivered mixed ransomware to victims.  Snapshots of the related Maltego graphs of these campaigns are below:



With regard to the EK-delivered Cerber campaigns, there is a significant evolution in complexity and scalability with regard to the actor’s deployment model as benchmarked from the alpha campaign through the August and September periods of activity.  Evident to this fact are the use of both perishable (sometimes rotating daily) IP infrastructure as well as nearly unique malware hashes that are created every 15 seconds[4].  Maltego snapshots of these networks with some technical details are below:



Regardless of deployment model changes, the IP-Geo check still functions as detailed in CheckPoint’s August 16th report[5] to bypass hosts in Eastern European countries or systems with correlating language settings.  IP geolocation services were seen from several providers including ‘’ and ‘’ (neither of which are inherently malicious).

"languages": [ 1049, 1058, 1059, 1064, 1067, 1068, 1079, 1087, 1088, 1090, 1091, 2072, 2073, 2092, 2115]

"countries": [ "am", "az", "by", "ge", "kg", "kz", "md", "ru", "tm", "tj", "ua", "uz"]

Directly following the IP-Geo checks, the malware still sprays one-way Command and Control (C2) via UDP port 6892 to the well-known netblock and somewhat less frequently to the netblock.  There has also been some speculation that this UDP capability could be weaponized for DDOS, where the victim could redirect all response traffic from the C2 subnet to a targeted host[6]; however, RSA analysis of the binaries did not identify a ‘listen’ or redirect functions in current Cerber samples.

With regard to the ‘business’ side of Cerber, RSA was able to identify a slightly more sophisticated 16char-KEY[.]DGA[.]TLD pattern with 23 unique key values that correlate to embedded configuration files for the malware’s set up of bitcoin wallets for each victim.  This pay-site pattern was confirmed via the positive identification of 726 unique URLs[7], predominately registered with ‘Eranet International Limited’ or ‘AlpNames Limited’, and hosted on both Tor nodes as well as the rotational infrastructure detailed above.  

"2016-09-01 17:17:32", "Payment Site", "Cerber", "4kqd3hmqgptupi3p.6j7jcn[.]bid", "hxxp://4kqd3hmqgptupi3p.6j7jcn[.]bid", "offline", " | |", "36352|16276", "US|CA"

While EK-delivered Cerber does present a challenge to diagnose intertwined ransomware and exploit kit behaviors and artifacts, some attribution can be made to particular EKs by leveraging findings on both C2 callbacks and the pay-site patterns.  Specifically, the May-June Cerber campaign demonstrates the previously noted UDP callbacks to the netblock and also ‘cerberhhyed5frqa.[DGA].win’ as a naming convention for payment sites; each of these has been linked to RIG EK and the delivery of Cerber[8].  The August and September campaigns can also be attributed to a probable exploit kit.  One of the 20+ payment processing site keys noted in those campaigns was ‘unocl45trpuoefft[.]DGA[.]TLD’, which correlates to open source intelligence documentation as a known Magnitude EK naming convention[9]


These findings suggest that earlier Cerber campaigns may have been delivered by RIG, followed by the July phishing campaigns, and then the August-September Magnitude delivery campaigns; however much more than Cerber   During the course of this research, numerous non-Ransomware activities (e.g., malvertising and information stealing) and related infrastructures were also identified.  RSA believes that these observations demonstrate how campaign runners are diversifying across malvertising, EK’s, and ransomware to drive multiple revenue streams from their campaigns. 


If this is the case, then Cerber-RaaS fits well within the model previously employed by Exploit Kit authors, supplying market demand for subversive and malicious software packages.  This also shows that dark web operators are adopting mainstream models for operations and service delivery, further increasing evidence that adversaries are borrowing on legitimate business models.  An example is the Stampado ransomware, unlimited licenses being offered for $39 is a compelling example[10] of how low the bar now is for market entry.



What remains unknown is how many different groups of actors or affiliates might be actively pushing Cerber ransomware.  Given the enormous payout potential, different TTPs for the phishing and EK delivered campaigns, and a lack of any co-use infrastructure… it is possible if not likely that different actors/affiliates were responsible for each respective infection vector.  However, without further evidence this notion remains speculative.


Threat Intelligence & Detection

By design, the evolving nature of Cerber’s malware, distribution, and rotational infrastructure limits the shelf life and effectiveness for any indicators of compromise (IOCs).  Despite this fact, RSA FirstWatch thought the subject matter significant enough to push two sets of threat intelligence into the ‘FirstWatch Exploit Domains’ and ‘FirstWatch Exploit IPs’ feeds on 9/3 and 9/9.  Each of these feeds are set to age-off after 30-days.


In addition an App Rule is now available via Live that detects a set of 23 unique pay-site hosts for Cerber ransomware that correlate to embedded configuration files for the malware’s set up of bitcoin wallets for each victim.    This rule matches when the '' (packet) or 'fqdn' (web logs) begins with one of the identified hostname patterns.  Either the HTTP_lua or HTTP native parser or one of the web log event sources is required.  You must have the September 2016 or later release of a web log event source plus the Envision Config File for the FQDN to be populated. begins '25z5g623wpqpdwis', '27lelchgcvs2wpm7', '32kl2rwsjvqjeui7', '3qbyaoohkcqkzrz6', '4kqd3hmqgptupi3p', '52uo5k3t73ypjije', '6dtxgqam4crv6rr6', 'cerberhhyed5frqa', 'de2nuvwegoo32oqv', 'i3ezlvkoi7fwyood', 'kkd47eh4hdjshb5t', 'lpholfnvwbukqwye', 'mphtadhci5mrdlju', 'mz7oyb3v32vshcvk', 'pmenboeqhyrpvomq', 'rzss2zfue73dfvmj', 'stgg5jv6mqiibmax', 'twbers4hmi6dc65f', 'unocl45trpuoefft', 'vrvis6ndra5jeggj', 'vrympoqs5ra34nfo', 'wjtqjleommc4z46i', 'zjfq4lnfbs7pncr5' || fqdn begins '25z5g623wpqpdwis', '27lelchgcvs2wpm7', '32kl2rwsjvqjeui7', '3qbyaoohkcqkzrz6', '4kqd3hmqgptupi3p', '52uo5k3t73ypjije', '6dtxgqam4crv6rr6', 'cerberhhyed5frqa', 'de2nuvwegoo32oqv', 'i3ezlvkoi7fwyood', 'kkd47eh4hdjshb5t', 'lpholfnvwbukqwye', 'mphtadhci5mrdlju', 'mz7oyb3v32vshcvk', 'pmenboeqhyrpvomq', 'rzss2zfue73dfvmj', 'stgg5jv6mqiibmax', 'twbers4hmi6dc65f', 'unocl45trpuoefft', 'vrvis6ndra5jeggj', 'vrympoqs5ra34nfo', 'wjtqjleommc4z46i', 'zjfq4lnfbs7pncr5'

An ESA rule is also available that Detects a pattern of Cerber ransomware in which a geolocation check of an IP is performed in order to bypass hosts in Eastern European countries directly followed by a one-way command and control (C2) via UDP port 6892. The time window, list of UDP port numbers and IP geolocation check sites are configurable. The traffic_flow Lua paser and either the native DNS or DNS_verbose_lua parsers are required. The ESA rule uses the following list of hostnames that were observed during the GeoIP check: myexternalip[.]com, ipecho[.]net, ip-addr[.]es, ipinfo[.]io, wtfismyip[.]com, freegeoip[.]net, curlmyip[.]com, ip-api[.]com, icanhazip[.]com.















Thanks to KevinAngela, and Ray for the data, research, and output.

Michael Sconzo

Content Update

Posted by Michael Sconzo Employee Sep 26, 2016

We've got some nice new additions to Live as well as a high-impact update with our HTTP_lua parser.


First off we've expanded out detection capability and the following App Rules are now available via Live.


In addition the team has pushed an update to the HTTP_lua parser. If you're running this in your environment you want to make sure you get updated to this version. The high points of this release are:

  • 95% rewritten to better accommodate updates, performance and analysis.
  • Language extraction from Accept-Language request headers
  • Additional bug fixes 


Fun Fact: Did you know you could use a CSV file as a whitelist or blacklist in ESA?


Stay tuned for more!

As part of our continued efforts to bring customers better and more advanced ways of detecting malware we've got a few things to announce.


First off, the following malware families now have content in Live for you to download and deploy. If you'd like more information on the malware family check out the links (RSA Research). Stay tuned for a few more in the upcoming weeks.


Another part we're hard at work on is bringing more relevant and timely content to our feeds. This week, as part of some additional research that was conducted we've added 4000 unique Ransomware domains into our c2-domain feed, and 1150 unique IPs into our c2-ip feed. This all comes from analyzing 48 different Ransomware families and over 1600 samples. If you're especially concerned about Ransomware check out our Case Study Infographic on our main site.

There's been a lot of buzz lately about the Pegasus iOS malware and associated exploits. One of the many ways we help customers track and understand these types of threats is by addition IOCs to our various Feeds. This specific instance caused the addition of over 300 domains to our Third Party IOC Domains feed. One of the advantages of using this feed is not only do we track down additional indicators to insure you have the greatest amount of coverage, but this feed is automatically curated. That means indicators are aged out after 90 days so you don't have to worry about stale indicators.

Filter Blog

By date: By tag: