• Profiling Attackers Series

    I have recently been posting a number of blogs regarding the usage of the RSA NeWitness Platform to detect attackers within your environment. As the list of the blogs grow, it is becoming increasingly difficult to nav...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Using the RSA NetWitness Platform to Detect Lateral Movement: SCShell (DCE/RPC)

    A couple of months ago, Mr-Un1k0d3r released a lateral movement tool that solely relies on DCE/RPC (https://github.com/Mr-Un1k0d3r/SCShell). This tool does not create a service and drop a file like PsExec or simi...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • RSA NetWitness Meta Dictionary Tool

    The RSA NetWitness Meta Dictionary is a tool developed for describing metadata used in RSA NetWitness Log Parsers.  The RSA NetWitness Log Decoder supports over 300+ unique log event sources.  Each log event...
    Chaitra Kulkarni
    last modified by Chaitra Kulkarni
  • Using the RSA NetWitness Platform to Detect C&C: goDoH

    DNS over HTTPS (DoH) was introduced to increase privacy and help prevent against the manipulation of DNS data by utilising HTTPS to encrypt it. Mozilla and Google have been testing versions of DoH since June 2018, and...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Detecting DNS tunneling in RSA NetWitness: DNS2TCP

    When performing network forensics, all protocols should be analysed, however, some tend to be more commonly abused than others; one of these being DNS. While not as flexible as say HTTP, it does flow through, and outs...
    Marco Faggian
    created by Marco Faggian
  • Detecting Gh0st RAT in the RSA NetWitness Platform

    In order to defend their network effectively, analysts need to understand the threat landscape, and more specifically how individual threats present themselves in their tools. With that in mind, I started researching ...
    John Simmons
    last modified by John Simmons
  • Using RSA NetWitness to Detect Credential Harvesting: lsassy

    A couple of days ago on Github, Hackndo released a tool (https://github.com/Hackndo/lsassy) that is capable of dumping the memory of LSASS using LOLBins (Living of the Land Binaries) - typically we would see attackers...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Tips to Build [Small] RSA NetWitness Platform Virtual Hosts

    Overview To ISO or Not to ISO VM Host Sizing Raw Event Data Storage Install Services Validate Folder Sizes - RSA NetWitness Platform Databases Validate Thresholds - MongoDB Minimu...
    Sean Griesheimer
    last modified by Sean Griesheimer
  • Using RSA NetWitness to Detect C&C: Covenant

    Introduction Having recently moved into the IR team – where I now have to actually do stuff as opposed to just talking about stuff in technical sales – I have found that the best way to get up to speed wi...
    Chris Thomas
    created by Chris Thomas
  • Easy-add Recurring Feeds

    19DEC2019 Update (with props to Leonard Chvilicek for pointing out several issues with the original script) implemented more accurate java version & path detection for JDK variable implemented 30 second timeo...
    Josh Randall
    last modified by Josh Randall
  • Contextualizing JA3 Fingerprints

    19DEC2019 Update: Modified the original ESA rule (ja3context.txt) with additional/better logic to match destination port numbers between the Endpoint and Network sessions. Additionally, I recommend disabling the "Aler...
    Josh Randall
    last modified by Josh Randall
  • Using RSA NetWitness to Detect C&C: ReverseTCP Shell

    In this blog post, I am going to cover a C&C framework called ReverseTCP Shell,. This was recently posted to GitHub by ZHacker: GitHub - ZHacker13/ReverseTCPShell: PowerShell ReverseTCP Shell - Framework   ...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • Custom TCP Shell and Mobile Messaging Apps

    During a recent customer engagement, I found the "customtcp shell" meta with some very interesting sessions.  All of the traffic was using what appeared to be custom encryption and the destination IP was based in...
    John Simmons
    last modified by John Simmons
  • APT Emulation Using CALDERA

    Over the past year, I have posted multiple blogs whereby I perform APT (Advanced Persistent Threat) emulation and analyse the forensic footprint left behind after the attack using the NetWitness platform. In this post...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • Using RSA NetWitness to Detect C&C: WEASEL

    I was doing some hunting through our lab traffic today and came across some strange looking traffic, it turned out to be Rui Ataide playing around with a new DNS C2. It is named WEASEL and can be found ...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • Health & Wellness uses an old IP for connecting to a device - How to Resolve

    Health and Wellness leverages RabbitMQ to be able to collect the actual status of any components of the RSA Netwitness platform. After changing an IP on a component the Health and Wellness keep communicating...
    Xavier Trepanier-Taupier
    last modified by Xavier Trepanier-Taupier
  • Amazon Detective and RSA NetWitness Platform Integration

    Amazon Detective is an Amazon Web Services (AWS) threat hunting platform (pre-release at the time of this writing) that offers a deep, cloud-native view of AWS resource data and history, optionally in the context of a...
    Mitch Hanks
    last modified by Mitch Hanks
  • Using RSA NetWitness to Detect Command and Control: PoshC2 v5.0

    Command and Control platforms are constantly evolving. In one of my previous blog posts, I detailed how to detect PoshC2 v3.8:   Using RSA NetWitness to Detect Command and Control: PoshC2   Since then, Net...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • Detecting a MuddyWater APT using the RSA NetWitness Platform

    MuddyWater MuddyWater is a state-sponsored threat group suspected to be linked to Iran. It has mainly been targeting organizations in the Telecommunications, Government and Oil sectors across the Middle East region. ...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • RSA NetWitness Packet Meta in ELK

    In line with some of my other integrations, I recently decided to also create a proof-of-concept solution on how to integrate RSA NetWitness meta data into an ELK stack.   Given that I already had a couple of Py...
    Rui Ataide
    last modified by Rui Ataide