• Detecting Command and Control in RSA NetWitness: Cobalt Strike

    Introduction Cobalt Strike is a threat emulation tool used by red teams and advanced persistent threats for gaining and maintaining a foothold on networks. This blog post will cover the detection of Cobalt Strik...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Introduction to MITRE’s ATT&CK™ and Mapping to ESA Rules

    Introduction to MITRE’s ATT&CK™   Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from I...
    Prakhar Pandey
    last modified by Prakhar Pandey
  • VLC Load Balancing and Failover on AWS

    If you need to achieve HA through load balancing and failover for VLCs on AWS you can use the built-in AWS load balancer. I have tested this scenario so I am going to share the outcome here.   Before starting I ...
    Marco Meli
    created by Marco Meli
  • Threat Intel Integration with MISP and Minemeld

    RSA NetWitness has a number of integrations with threat intel data providers but two that I have come across recently were not listed (MISP and Minemeld) so I figured that it would be a good challenge to see if they c...
    Eric Partington
    created by Eric Partington
  • Profiling Attackers Series

    I have recently been posting a number of blogs regarding the usage of the RSA NeWitness Platform to detect attackers within your environment. As the list of the blogs grow, it is becoming increasingly difficult to nav...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Detecting Command and Control in RSA NetWitness: Metasploit

    Preface In order to prevent confusion, I wanted to add a little snippet before we jump into the analysis. The blog post first goes over how the server became infected with Metasploit, it was using a remote execution C...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • Use cases - ESA Rules

    Here in this space an attempt is being made to list some Use cases, custom as well as Out of box (Live) for their effectiveness and usage in Threat monitoring within an enterprise.        ...
    Ishtiyaq Shah
    last modified by Ishtiyaq Shah
  • RSA Netwitness - Use Cases

    Category Sub Category #Use Case Log Source #RSA Supported #Business Use Cases Access/Authentication Identity Management Monitor for use of disabled usernames Active Directory , Databases, Applications, Web Proxy, HR d...
    Ishtiyaq Shah
    last modified by Ishtiyaq Shah
  • Detecting CVE-2019-0708 BlueKeep Remote Desktop Exploit

    SummaryA vulnerability exists within Remote Desktop Services and may be exploited by sending crafted network requests using RDP. The result could be remote code execution on a victim system without any user authentica...
    Angela Stranahan
    last modified by Angela Stranahan
  • RSA NetWitness Endpoint 11.3 vs 4.4 - Key Features/Differences

    In 11.3 the same NWE Agent can operate in Insights (free) or Advanced Mode . This change can be made by toggling a policy configuration in the UI and does not require agent reinstall or reboot.  There could be bo...
    Joshua Randall
    last modified by Joshua Randall
  • RSA NetWitness Platform Newsletter, May 2019, Issue #2

    Hi Everyone, We're excited to share our second issue of the RSA NetWitness Platform newsletter with you.  As a friendly reminder, the goal for this newsletter is to share more information about what is happ...
    Jacob Dorval
    last modified by Jacob Dorval
  • Open Access to Your RSA NetWitness Network Data

    Strides have been made in RSA NetWitness Platform v11.2 to provide an administrator alternatives to the standard proprietary NW database format. Now an admin can choose to have the raw packet database files written in...
    William Hart
    last modified by William Hart
  • Customizing Respond Incident Notification Emails

    One of the more common requests and "how do I" questions I've heard in recent months centers around the Emails that the Respond Module can send when an Incident is created or updated.  Enabling this configuration...
    Joshua Randall
    last modified by Joshua Randall
  • Examining Threat Aware Authentication in  v11.3

    One of the features included in the RSA NetWitness 11.3 release is something called Threat Aware Authentication (Respond Config: Configure Threat Aware Authentication).  This feature is a direct integration betwe...
    Joshua Randall
    last modified by Joshua Randall
  • What's on your wire: ScreenConnect/ConnectWise

    With the recent news about ScreenConnect used in data breaches, I had the opportunity to examine some of the network traffic.  This was traffic that was originally in OTHER, but as you know, that just means it's ...
    Christopher Ahearn
    last modified by Christopher Ahearn
  • Detecting Command and Control in RSA NetWitness: Koadic

    Attackers love to use readily available red team tools for various stages within their attack. They do so as this removes the labour required in creating their own custom tools. This is not to say that the more innova...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Scheduled and Ad-Hoc ESA Alerts

    Quite frequently when testing ESA alerts and output options / templates, I have wanted the ability to manually or repeatedly trigger alerts.  In order to help with this type of testing, I created a couple ES...
    Joshua Randall
    last modified by Joshua Randall
  • RSA NetWitness Platform Troubleshooting Space

    There is a new space available on RSA Link: Troubleshooting the RSA NetWitness® Platform The purpose of this space is to consolidate the available troubleshooting information for RSA NetWitness into a single spa...
    Scott Marcus
    created by Scott Marcus
  • Introducing RSA NetWitness Platform 11.3

    We are excited to announce the latest version of the RSA NetWitness Platform!  For those of you at RSA Conference, come to the RSA Booth to see first hand the new capabilities of the platform. RSA NetWitness Plat...
    Amy Blackshaw
    last modified by Amy Blackshaw
  • Detecting DNS Tunnel Activity in RSA NetWitness

    IntroductionThere are many, many ways to exfiltrate data from a network, but one common way to do it is using DNS Exfiltration. With these specific techniques the attackers use the already open port for dns traff...
    Massimiliano Faudarole
    last modified by Massimiliano Faudarole