• Purging unwanted data from the RSA NetWitness Platform

    Unfortunately sometimes sensitive data can find its way where it is not wanted. It should not, but it happens. Perhaps your IT Person decided connecting the high side network to the low side was a good idea. Mayb...
    William Hart
    last modified by William Hart
  • Custom File Blacklists in NWE 11.4.x and above

    Every SOC analyst should spend at least part of his/her day reading various blog posts and white papers on attacker profiles and their tools and techniques. Attackers often repeat at least certain aspects of their act...
  • Zoom Meeting UNC Abuse and Detection with RSA NetWitness

    With the sudden surge in popularity for Zoom meetings, an increase interest has been seen by white/grey/black hats to identify potential vulnerabilities and weaknesses. One of the recent popular security weaknesses i...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • RSA IR - Recommendations for Users Working from Home

    1       Introduction The efforts of people around the globe have suddenly forced many workers to stay at home. For a significant portion of these workers that also means working remotely ...
  • RSA IR - Best Practices for Organizations (A Starting Point)

    1       Introduction The efforts of people around the globe have suddenly forced many workers to stay at home. For a significant portion of these workers that also means working remotely ...
  • Network Decoder Truncation Options

    The ability to capture network events while keeping only the header portion and truncating the payload has been available for quite some time. This has always been a great option when the lack of analytical value of t...
    William Hart
    created by William Hart
  • Work From Home - The Paradigm Shift in Cyber Defense

    INTRODUCTION By now, you may have already started to work from home instead of your usual workplace, like many of your co-workers and peers. As the situation continues to evolve, there is a rapidly increasing trend fo...
    Choon Hian Koh
    last modified by Choon Hian Koh
  • Profiling Attackers Series

    I have recently been posting a number of blogs regarding the usage of the RSA NeWitness Platform to detect attackers within your environment. As the list of the blogs grow, it is becoming increasingly difficult to nav...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Using RSA NetWitness to Detect HTTP Asynchronous Reverse Shell (HARS)

    I recently reviewed HTTP Asynchronous Reverse Shell (HARS) for The C2 Matrix, which should be posted soon! They also have a Google Docs spreadsheet here: C2Matrix - Google Sheets. I’ve been following t...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Amazon Detective and RSA NetWitness Platform Integration

    UPDATE 31 Mar 2020: Amazon Detective has been made officially GA by AWS as of today!  See the notes at the end of this post for links to the official documentation with more details on usage and implementati...
    Mitch Hanks
    last modified by Mitch Hanks
  • Custom Flat File Log Collection with NW-Endpoint 11.4

    The NetWitness 11.4 release included a number of features and enhancements for NetWitness Endpoint, one of which was the ability to collect flat file logs (https://community.rsa.com/docs/DOC-110149#Endpoint_Configurat...
    Josh Randall
    last modified by Josh Randall
  • RSA NetWitness Meta Dictionary Tool

    The RSA NetWitness Meta Dictionary is a tool developed for describing metadata used in RSA NetWitness Log Parsers.  The RSA NetWitness Log Decoder supports over 300+ unique log event sources.  Each log event...
    Chaitra Kulkarni
    last modified by Chaitra Kulkarni
  • Exchange Exploit Case Study – CVE-2020-0688

    Abstract  In this blog I describe a recent intrusion that started with the exploit of CVE-2020-0688. Microsoft released a patch for this vulnerability on 11 February 2020. In order for this exploit to work, ...
    Hermes Bojaxhi
    last modified by Hermes Bojaxhi
  • What's updog?

    Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set adhoc SSL certificates and use HTTP basic auth. It was created by sc0tfree  and can be found on h...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Road-mapping your Use Case Development

    Introduction Security Operation Centre (SOC) comes in different forms (e.g. In-House, Outsourced, Hybrid etc) and sizes, depending on multiple factors such as the objectives and functions that the SOC is meant to serv...
    Choon Hian Koh
    created by Choon Hian Koh
  • ManageEngine Desktop Central RCE

    A zero-day RCE (Remote Code Execution) exploit against ManageEngine Desktop Central was recently released by ϻг_ϻε (@steventseeley). The description of how this works in full and the code can be found on his...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • Throwback C2 Thursday

    This post is going to cover a slightly older C2 framework from Silent Break Security called, Throwback C2. As per usual, we will cover the network and endpoint detections for this C2, but we will delve ...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Query NetWitness from the Chrome Address Bar

    It is possible to add RSA NetWitness as a Search Engine in Chrome, which allows to run queries directly from the address bar.     The following are the steps to follow in your browser to set this up. ...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • RSA NetWitness Storage Retention Script

    Although the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention a...
    Naushad Kasu
    last modified by Naushad Kasu
  • Dell Technologies (RSA) Named a Leader in 2020 Gartner Magic Quadrant for SIEM

    We are excited to share that Dell Technologies (RSA) has been positioned as a “Leader” by Gartner in the 2020 Magic Quadrant for Security Information and Event Management research report for its RSA NetWit...