Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Alex Cox

RSA NetWitness Platform

3 Posts authored by: Alex Cox Employee

We are pleased to announce the addition of threat indicators directly from RSA's world class Incident Response team.   These indicators include Domains and IPs that are sourced from Incident Response activities in a variety of ways:


- Direct observation during RSA Incident Response engagements

- Related indicators developed via malware, DNS, and whois analysis

- 3rd Party Indicators with connections to RSA IR activity


These indicators can be loaded into Security Analytics by subscribing to the following feeds in RSA Live:


RSA FirstWatch Command and Control Domains

RSA FirstWatch Command and Control IPs


The following pivot can be used to located hits to these indicators in the Security Analytics UI:


threat.source = "rsa ir indicators"


Thanks and Happy Hunting!


RSA FirstWatch

You asked and we listened! 


Ransomware continues to be a significant threat to our customers, so this is a very timely addition. has added a ransomeware tracker which tracks the following families of ransomware:











We’ve added these indicators to the following feeds in LIVE:


Third Party IOC Domains

Third Party IOC IPs


They can be located with the following pivot in the Security Analytics UI:


Threat.category = “ ransomware”


Happy Hunting!



You may have seen press coverage this week relating to a Microsoft Outlook Web Access
(OWA) attack.  The originating report was published by Cybereason, which can
be found here:


In short, attackers of a Cybereason client installed a malicious .dll file which
was used by OWA as part of the authentication mechanism…. Authenticating users
against the Active Directory server.  It also installed an ISAPI filter
into the IIS server and was filtering HTTP requests.  Once installed, the
malware wrote all usernames and passwords to an encrypted .txt file on the C
Drive.  Then it passively waited for instructions from the attackers via


Microsoft responded to the report and has claimed that a properly deployed and secured
Exchange Server is NOT susceptible to the referenced attacks.,


Unfortunately,  Cybereason has not shared the malware for creation of signatures or hashes.
They have explained that the malware is custom to the victim, so traditional
endpoint signatures would likely not work anyway.  Further, there is no
known C2 domains or IP addresses, as the malware was apparently discovered
prior to responding to additional commands.


Cybereason did reveal, however, the name of the malicious file: OWAAUTH.DLL


An RSA ECAT customer can use the Global Module List to CTRL-F search for that
file name: OWAAUTH.DLL


If the file(s) appear without a valid Microsoft signature, you may have been
compromised by this attack and should begin response procedures. 
If the
attacker followed the same protocol as the Cybereason report outlined, there is
also an encrypted file named log.txt, stored in C:\.  It may contain lots
of domain credentials, so should be treated accordingly.

Filter Blog

By date: By tag: