The following table lists the RSA Application Rules for NetWitness Endpoint.
| Display Name | File Name | Description |
|---|---|---|
| Accesses Administrative Share Using Command Shell | accesses_administrative_share_using_command_shell | Accessing administrative share using command shell can be an indicator of someone trying for lateral movement or privilege escalation by using hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. This rule is supported for Windows 8 and higher versions. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = accesses administrative share using command shell |
| Activates BITS Job | activates_bits_job | Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = activates bits job |
| Adds Files To BITS Download Job | adds_files_to_bits_download_job | Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = adds files to bits download job |
| Adds Firewall Rule | adds_firewall_rule | Adding firewall rule can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = adds firewall rule |
| Allocates Remote Memory | allocates_remote_memory | In Mac, a process not signed by Apple has allocated memory in another process. Most allocations will only occur within the same process and by processes signed by Apple. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = allocates remote memory |
| Antivirus Disabled | antivirus_disabled | Disabling antivirus can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = antivirus disabled |
| Archiving Software Reads Multiple Documents | archiving_software_reads_multiple_documents | Multiple documents read could be an indication of someone creating a large archive. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = archiving software reads multiple documents |
| Autorun | autorun | Indicates applications or commands that are configured to run on system startup. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun |
| Autorun File Path Not Part Of RPM | autorun_file_path_not_part_of_rpm | Installation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun file path not part of rpm |
| Autorun Invalid Signature Windows Directory | autorun_invalid_signature_windows_directory | This rule will return any file with an invalid signature located in the following Windows directories: C:\\ProgramData, C:\\Users\\<user>\\AppData\\Roaming, C:\\Users\\<user>\\AppData\\Local, C:\\Windows VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun invalid signature windows directory |
| Autorun Key Contains Non-Printable Characters | autorun_key_contains_non-printable_characters | Autorun key containing non-printable characters an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = autorun key contains non-printable characters |
| Autorun RPM Mismatch | autorun_rpm_mismatch | A hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate. |
| Autorun Unsigned Active Setup | autorun_unsigned_active_setup | Active Setup is a mechanism for executing commands once per user early during login and executed by explorer.exe. To ensure persistence across reboots and log-offs attackers use active setup which is even more suspicious when it is unsigned. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned active setup |
| Autorun Unsigned AppInit_DLLs | autorun_unsigned_appinit_dlls | Unsigned Autorun AppInit_DLLs can be an indiaction of attacker trying to abused registry key values for DLLs to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned appinit_dlls |
| Autorun Unsigned BHO | autorun_unsigned_bho | BHOs can be used to monitor user browsing habits and deliver targeted advertising as well as steal information. BHOs Unsigned and configured to run on system startup are used for persistence and are suspicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned bho |
| Autorun Unsigned BootExecute Registry Startup Method | autorun_unsigned_bootexecute_registry_startup_method | Unsigned Autorun BootExecute registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned bootexecute registry startup method |
| Autorun Unsigned Explorer Registry Startup Method | autorun_unsigned_explorer_registry_startup_method | Unsigned Autorun explorer registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned explorer registry startup method |
| Autorun Unsigned Hidden | autorun_unsigned_hidden | Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evasion. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned hidden |
| Autorun Unsigned Hidden Only Executable In Directory | autorun_unsigned_hidden_only_executable_in_directory | This rule will return any unsigned executable file launched as an autorun which has the "Hidden" Windows Property. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned hidden only executable in directory |
| Autorun Unsigned IE Toolbar | autorun_unsigned_ie_toolbar | Toolbar can be spyware or adware which can breach privacy and steal data through browsers. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned ie toolbar |
| Autorun Unsigned In AppDataLocal Directory | autorun_unsigned_in_appdatalocal_directory | This rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of AppData/Local/Temp on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned in appdatalocal directory |
| Autorun Unsigned In AppDataRoaming Directory | autorun_unsigned_in_appdataroaming_directory | This rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of AppData/Roaming on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned in appdataroaming directory |
| Autorun Unsigned In ProgramData Directory | autorun_unsigned_in_programdata_directory | This rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of ProgramData directory on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned in programdata directory |
| Autorun Unsigned In Temp Directory | autorun_unsigned_in_temp_directory | This rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of Temp directory on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned in temp directory |
| Autorun Unsigned LogonType Registry Startup Method | autorun_unsigned_logontype_registry_startup_method | Unsigned Autorun LogonType registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned logontype registry startup method |
| Autorun Unsigned LSA Provider | autorun_unsigned_lsa_provider | Windows Authentication Package (AP) DLLs are loaded by the Local Security Authority (LSA) process at system start. Attackers can introduce their own APs to control logon processes and security protocols to OS. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned lsa provider |
| Autorun Unsigned ServiceDLL | autorun_unsigned_servicedll | To evade defense, DLLs can be run as a service. This technique is used by attackers to hide the malware. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned servicedll |
| Autorun Unsigned Winlogon Helper DLL | autorun_unsigned_winlogon_helper_dll | This rule is looking for instance of modifications in Winlogon registry keys that may cause Winlogon to load and execute malicious unsigned DLLs. Adversaries may take advantage of this feature to load adversarial code at startup for persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = autorun unsigned winlogon helper dll |
| Autorun Unsigned Winsock LSP | autorun_unsigned_winsock_lsp | Winsock LSP is a DLL that is loaded when a process uses Winsock API, it allows us to inject our code between the user network calls and the Winsock API, thus allowing attacker to inspect, modify, or block those network calls. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned winsock lsp |
| Bad Certificate Warning Disabled | bad_certificate_warning_disabled | Disabling bad certificate warning can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = bad certificate warning disabled |
| Blacklisted File | blacklisted_file | An analyst may mark files as blacklisted within NetWitness Endpoint. If actions on an endpoint involve those blacklisted files as the source, then this rule will trigger. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = blacklisted file |
| Browser Runs Command Prompt | browser_runs_command_prompt | This will return any child processes of 'cmd.exe' that have been spawned by the the parent process of either, 'chrome.exe','iexplorer.exe','opera.exe' or 'firefox.exe'. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = browser runs command prompt |
| Browser Runs Mshta | browser_runs_mshta | Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for a browser to run Mshta. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = browser runs mshta |
| Browser Runs Powershell | browser_runs_powershell | Browser running powershell can be an indication of someone trying to run web based malicious commands using browsers to compromise the system or the user, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = browser runs powershell |
| Builds Script Incrementally | builds_script_incrementally | Building script incrementally can be an indication of attacker trying to execute serias of commands using script, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = builds script incrementally |
| Clears Security Event Log | clears_security_event_log | Clearing security event log can be a strong indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = clears security event log |
| Clears System Event Log | clears_system_event_log | Clearing security system log can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = clears system event log |
| Combines Binaries Using Command Prompt | combines_binaries_using_command_prompt | Chaining binaries using command prompt can be an indication of someone trying to run multiple malicious commands needed to perform multi-stage attack to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = combines binaries using command prompt |
| Command Line Usage Of Archiving Software | command_line_usage_of_archiving_software | Use of the command line to create archive files demonstrates more advanced use of the tools and is atypical. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = command line usage of archiving software |
| Command Line Writes Script Files | command_line_writes_script_files | This rule will return any 'cmd.exe' or 'powershell.exe' that will write out any file with the extensions 'vbs', 'vbe', 'wsh', 'wsf', 'vb', 'cmd' or 'bat'. Scripts can be used for Defense Evasion as well as Execution by adversaries. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = command line writes script files |
| Command Prompt Obfuscation | command_prompt_obfuscation | Command Prompt (cmd) in Windows can be used to perform a number of tasks including execution of other software. Adversaries can run obfuscated commands on cmd for execution to evade defense mechanisms. Obfuscated commands can evade signature based defenses. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = command prompt obfuscation |
| Command Prompt Obfuscation Using Value Extraction | command_prompt_obfuscation_using_value_extraction | Command Prompt (cmd) in Windows can be used to perform a number of tasks including execution of other software. Adversaries can run obfuscated commands on cmd by extracting strings from environment variables for execution to evade defense mechanisms. Obfuscated commands can evade signature based defenses. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = command prompt obfuscation using value extraction |
| Command Shell Copy Items | command_shell_copy_items | This will return any console event of 'cmd.exe' or 'powershell.exe' running a copy command. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = command shell copy items |
| Command Shell Runs Rundll32 | command_shell_runs_rundll32 | This will return any instance of 'cmd.exe' or 'powershell.exe' launching the Windows OS processes of 'rundll32.exe' with no arguments VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = command shell runs rundll32 |
| Completes BITS Download Job | completes_bits_download_job | Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = completes bits download job |
| Configures Image Hijacking | configures_image_hijacking | Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. Value of the debugger process can be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and by continuous invocation. Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = configures image hijacking |
| Configures Port Redirection | configures_port_redirection | Configuring port redirection can be indication of adversaries can be using connection to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = configures port redirection |
| Copies Binary Over Administrative Share | copies_binary_over_administrative_share | Administrative shares once compromised could be used to distribute malware. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = copies binary over administrative share |
| Created In Last Month | created_in_last_month | Files created in the last month may be reviewed for malicious intent. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = created in last month |
| Creates Browser Extension | creates_browser_extension | Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. Malicious extensions once installed can browse to websites in the background, steal all information that a user enters into a browser and be used as an installer for a RAT for persistence. |
| Creates Domain User Account | creates_domain_user_account | Creating domain user account can be an indication of adversaries with a sufficient level of access creating a domain user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates domain user account |
| Creates Executable In Startup Directory | creates_executable_in_startup_directory | Creating executable in startup directory can an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = creates executable in startup directory |
| Creates Local Driver Service | creates_local_driver_service | Creating local driver service can be an indication of someone trying to maintain a persistent access on the system using driver services which can execute under SYSTEM privileges, modify the registry and create back VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates local driver service |
| Creates Local Service | creates_local_service | Creating local service can be an indication of someone trying to maintain a persistent presence on the system using local services which can modify the registry, escalate privileges and create backdoor. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = creates local service |
| Creates Local Task | creates_local_task | Creating local task can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = creates local task |
| Creates Local User Account | creates_local_user_account | Creating local user account can be an indication of adversaries with a sufficient level of access creating a local user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = creates local user account |
| Creates Password-Protected Archive | creates_password-protected_archive | Password-protected archive files can be used to exfiltrate sensitive data since contents cannot be examined. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = creates password-protected archive |
| Creates Recursive Archive | creates_recursive_archive | Creating a recursive archive could be an attempt to exfiltrate many files at once. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = creates recursive archive |
| Creates Remote Process Using WMI Command-Line Tool | creates_remote_process_using_wmi_command-line_tool | Creating remote process using WMI command-line tool can be an indication of someone trying to use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for discovery and remote execution of files as part of Lateral Movement. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates remote process using wmi command-line tool |
| Creates Remote Service | creates_remote_service | Creating remote service can be an indication of someone trying to maintain a persistent presence on the system using remote services which can modify the registry, escalate privileges and create backdoor. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates remote service |
| Creates Remote Task | creates_remote_task | Creating remote task can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates remote task |
| Creates Shadow Volume For Logical Drive | creates_shadow_volume_for_logical_drive | Creating shadow volume for logical drive can be indication of someone trying to dump credentials using shadow backup copies of systems to be able to Creates remote taskCreates remote taskgain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates shadow volume for logical drive |
| Creates Suspicious Service Running Command Prompt | creates_suspicious_service_running_command_prompt | Creates suspicious service running command prompt can be an indication of someone trying to create and run malicious services to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates suspicious service running command prompt |
| Deletes Backup Catalog | deletes_backup_catalog | Deleting backup catalog can be an indication of someone is trying to remove files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = deletes backup catalog |
| Deletes Firewall Rule | deletes_firewall_rule | Deleting firewall rule can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = deletes firewall rule |
| Deletes Shadow Volume Copies | deletes_shadow_volume_copies | Deleting shadow volume copies can be an indication of someone is trying to removefiles over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = deletes shadow volume copies |
| Deletes USN Change Journal | deletes_usn_change_journal | Deleting USN change journal can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = deletes usn change journal |
| Disables Firewall | disables_firewall | Disabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = disables firewall |
| Disables Security Service | disables_security_service | Disabling security service can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = disables security service |
| Disables Startup Repair | disables_startup_repair | Disabling startup repair can be an indication of someone is trying to remove files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = disables startup repair |
| Disables UAC | disables_uac | Event viewer executing uncommon binary can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = disables uac |
| Disables UAC Remote Restrictions | disables_uac_remote_restrictions | Disabling UAC remote restrictions can be an attempt to bypass Windows User Account Control (UAC). Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = disables uac remote restrictions |
| Disables Windows Defender Using Powershell | disables_windows_defender_using_powershell | Disabling windows defender using powershell can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = disables windows defender using powershell |
| Downloads Binary Using Certutil | downloads_binary_using_certutil | Windows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Downloading binary using certutil can be an indication of someone trying to download malicious code to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = downloads binary using certutil |
| Drops Credential Dumping Tools | drops_credential_dumping_tools | Dropping credential dumping tools can be indication of someone trying to bypass all credentials checks to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = drops credential dumping library |
| Dumps DNS Cache | dumps_dns_cache | Dumping DNS cache can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = dumps dns cache |
| Dyld Inserted | dyld_inserted | macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = dyld inserted |
| Enables Cleartext Credential Storage | enables_cleartext_credential_storage | Enabling cleartext credential storage can be indication of someone trying to exploit these credentials to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = enables cleartext credential storage |
| Enables Login Bypass | enables_login_bypass | Accessibility features that may be launched with a key combination before a user has logged in . Enabling login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = enables login bypass |
| Enables RDP From Command-Line | enables_rdp_from_command-line | Enabling RDP from command-line can be indication of adversaries trying to connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence or perform RDP session hijacking which involves stealing a legitimate user's remote session. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enables rdp from command-line |
| Enumerates ARP Table | enumerates_arp_table | Enumeration of ARP table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates arp table |
| Enumerates Available Systems On Network | enumerates_available_systems_on_network | Enumeration of available systems on network can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates available systems on network |
| Enumerates Domain Account Policy | enumerates_domain_account_policy | Enumeration of domain account policy can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates domain account policy |
| Enumerates Domain Administrators | enumerates_domain_administrators | Enumeration of domain administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates domain administrators |
| Enumerates Domain Computers | enumerates_domain_computers | Enumeration of domain computers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates domain computers |
| Enumerates Domain Controllers | enumerates_domain_controllers | Enumeration of domain controllers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates domain controllers |
| Enumerates Domain Groups | enumerates_domain_groups | Enumeration of domain groups can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates domain groups |
| Enumerates Domain Users | enumerates_domain_users | Enumeration of domain users can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates domain users |
| Enumerates Enterprise Administrators | enumerates_enterprise_administrators | Enumeration of enterprise administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates enterprise administrators |
| Enumerates Exchange Domain Servers | enumerates_exchange_domain_servers | Enumeration of exchange domain servers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates exchange domain servers |
| Enumerates Exchange Servers | enumerates_exchange_servers | Enumeration of exchange servers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates exchange servers |
| Enumerates IP Configuration | enumerates_ip_configuration | Enumeration of IP configuration can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates ip configuration |
| Enumerates Local Account Policy | enumerates_local_account_policy | Enumeration of local account policy can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates local account policy |
| Enumerates Local Administrators | enumerates_local_administrators | Enumeration of local administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates local administrators |
| Enumerates Local Administrators On Domain Controller | enumerates_local_administrators_on_domain_controller | Enumeration of local administrators on domain controller can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates local administrators on domain controller |
| Enumerates Local Groups | enumerates_local_groups | Enumeration of local groups can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates local groups |
| Enumerates Local Services | enumerates_local_services | Enumeration of local services can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates local services |
| Enumerates Local Users | enumerates_local_users | Enumeration of local users can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates local users |
| Enumerates Logical Disk | enumerates_logical_disk | Enumeration of logical disk can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates logical disk |
| Enumerates Mapped Resources | enumerates_mapped_resources | Enumeration of mapped resources can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates mapped resources |
| Enumerates Network Connections | enumerates_network_connections | Enumeration of network connections can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates network connections |
| Enumerates Primary Domain Controller | enumerates_primary_domain_controller | Enumeration of primary domain controller can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates primary domain controller |
| Enumerates Processes On Local System | enumerates_processes_on_local_system | Enumeration of processes on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates processes on local system |
| Enumerates Processes On Remote System | enumerates_processes_on_remote_system | Enumeration of processes on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates processes on remote system |
| Enumerates Remote Netbios Name Table | enumerates_remote_netbios_name_table | Enumeration of remote netbios name table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates remote netbios name table |
| Enumerates Remote Resources | enumerates_remote_resources | Enumeration of remote resources can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates remote resources |
| Enumerates Route Table | enumerates_route_table | Enumeration of routing table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates route table |
| Enumerates Services Hosted In Processes | enumerates_services_hosted_in_processes | Enumeration of services hosted in processes can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates services hosted in processes |
| Enumerates System Info | enumerates_system_info | Enumeration of system information can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates system info |
| Enumerates Trusted Domains | enumerates_trusted_domains | Enumeration of trusted domains can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates trusted domains |
| Evasive Powershell Used Over Network | evasive_powershell_used_over_network | This rule will trigger when PowerShell with evasive options will be detected through a network event. Automated tools like PowerShell Empire run evasive remote PowerShell commands through network. Adversaries can use such technique for execution while evading defenses. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = evasive powershell used over network |
| Event Viewer Executes Uncommon Binary | event_viewer_executes_uncommon_binary | Event viewer executing uncommon binary can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = event viewer executes uncommon binary |
| Executable In ADS | executable_in_ads | Leveraging Alternate Data Streams can be a way to mask a malicious file inside a data stream of another binary, which can then be executed by launching the file it is forked into |
| Explorer Public Folder DLL Load | explorer_public_folder_dll_load | This rule will return hits from 'explorer.exe' launching the Windows OS process 'rundll32.exe' that leverages the folders "Public\\Libraries" or 'ClassWindow' VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = explorer public folder dll load |
| Exports Sensitive Registry Hive | exports_sensitive_registry_hive | Exporting sensitive registry hive can be indication of someone trying to exploit these credentials and registry values to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = exports sensitive registry hive |
| Extracts Password-Protected Archive | extracts_password-protected_archive | Password-protected archive files can be used to secure sensitive data since contents cannot be examined. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = extracts password-protected archive |
| File Encrypted | file_encrypted | File is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = file encrypted |
| File Hidden | file_hidden | To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = file hidden |
| File Path Not Part Of RPM | file_path_not_part_of_rpm | Installation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = file path not part of rpm |
| File Path Not Part Of RPM In Important System Directory | file_path_not_part_of_rpm_in_important_system_directory | Installation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = file path not part of rpm in important system directory |
| File Vault Disabled | file_vault_disabled | FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. Disabling this feature will decrypt the information on your startup disk. |
| Floating Module | floating_module | Detects a floating code module as a result of DLL injection. This may result in an attacker gaining access to internal resources, escalating privileges or disguising malicious behavior under a legitimate process. |
| Floating Module And Hooking | floating_module_and_hooking | Detects floating code as a result of hooking. The attacker masks malicious behavior under the process. |
| Floating Module In Browser Process | floating_module_in_browser_process | Detects a floating code module as a result of DLL injection. The attacker masks malicious behavior under the legitimate browser process. |
| Floating Module In OS Process | floating_module_in_os_process | Detects a floating code module as a result of DLL injection. The attacker masks malicious behavior under the legitimate OS process. |
| Gatekeeper Disabled | gatekeeper_disabled | Gatekeeper is a security feature of the Mac OS operating system. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. |
| Gets Current User As SYSTEM | gets_current_user_as_system | Trying to find current user as SYSTEM can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = gets current user as system |
| Gets Current Username | gets_current_username | Trying to find current username information can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = gets current username |
| Gets Current Username And Group Information | gets_current_username_and_group_information | Trying to find current username and group information can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = gets current username and group information |
| Gets Hostname | gets_hostname | Enumeration of hostnames can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = gets hostname |
| Gets Remote Time | gets_remote_time | getting remote time can be an indication of someone trying to gather information that could be useful for performing other techniques, such as executing a file with a Scheduled Task, or to discover locality information based on time zone to assist in victim targeting. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = gets remote time |
| GINA Replacement | gina_replacement | GINA is the Graphical Identification and Authentication component of Windows and handles the logon screen that we're all familiar with. GINA DLL can be replaced with another DLL to intercept credentials. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = gina replacement |
| Graylisted File | graylisted_file | An analyst may mark files as graylisted within NetWitness Endpoint. If actions on an endpoint involve those graylisted files as the source, then this rule will trigger. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = graylisted file |
| Hidden And Hooking | hidden_and_hooking | Hooking may be used to intercept and execute code in response to events. If the file is hidden, this could indicate an attempt is being made to evade detection by an attacker. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = hidden and hooking |
| Hidden In AppData | hidden_in_appdata | Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. |
| Hidden Plist And Autorun | hidden_plist_and_autorun | plist (Property List) is a flexible and convenient format for storing application data. Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hidden plist and autorun |
| Hidden Running As Root | hidden_running_as_root | A file is typically hidden to prevent users from accidentally changing them on a filesystem. A hidden file running with root privileges may indicate an attacker behavior to evade detection and install malware to maintain persistence. |
| Hooks Audio Output Function | hooks_audio_output_function | A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks audio output function |
| Hooks Authentication Function | hooks_authentication_function | A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks authentication function |
| Hooks Crypto Function | hooks_crypto_function | A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks crypto function |
| Hooks DnsQuery Function | hooks_dnsquery_function | A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks dnsquery function |
| Hooks GUI Function | hooks_gui_function | A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks gui function |
| Hooks Network HTTP Function | hooks_network_http_function | A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks network http function |
| Hooks Network IO Function | hooks_network_io_function | A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks network io function |
| Hooks NtLdr Function | hooks_ntldr_function | A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks ntldr function |
| Hooks Registry Access Function | hooks_registry_access_function | A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks registry access function |
| Hooks Registry Enumeration Function | hooks_registry_enumeration_function | A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks registry enumeration function |
| HTTP Daemon Runs Command Prompt | http_daemon_runs_command_prompt | HTTP daemon running command prompt can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = http daemon runs command prompt |
| HTTP Daemon Runs Powershell | http_daemon_runs_powershell | HTTP daemon running powershell can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = http daemon runs powershell |
| HTTP Daemon Runs Reconnaissance Tool | http_daemon_runs_reconnaissance_tool | HTTP daemon running reconnaissance tool can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = http daemon runs reconnaissance tool |
| HTTP Daemon Writes Executable | http_daemon_writes_executable | HTTP daemon running writing executable can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = http daemon writes executable |
| IE DEP Disabled | ie_dep_disabled | Disabling IE DEP can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = ie dep disabled |
| IE Enhanced Security Disabled | ie_enhanced_security_disabled | Disabling IE enhanced security can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = ie enhanced security disabled |
| In AppData Directory | in_appdata_directory | These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in appdata directory |
| In Hidden Directory | in_hidden_directory | To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in hidden directory |
| In Recycle Bin Directory | in_recycle_bin_directory | A file found in recycle bin directory may be suspicious. |
| In Root Of AppDataLocal Directory | in_root_of_appdatalocal_directory | These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in root of appdatalocal directory |
| In Root Of AppDataRoaming Directory | in_root_of_appdataroaming_directory | These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in root of appdataroaming directory |
| In Root Of Logical Drive | in_root_of_logical_drive | While the majority of programs are stored in folders on a system, it is uncommon to see a binary in the root of for example, "C:" directory. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = in root of logical drive |
| In Root Of Program Directory | in_root_of_program_directory | These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in root of program directory |
| In Root Of Users Directory | in_root_of_users_directory | These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = in root of users directory |
| In System Volume Information Directory | in_system_volume_information_directory | VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in system volume information directory |
| In Temporary Directory | in_temporary_directory | These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in temporary directory |
| In Uncommon Directory | in_uncommon_directory | A file found in an uncommon directory may be suspicious. |
| Installs Root Certificate | installs_root_certificate | Installing root certificate on a compromised system can be an indication of an adversary trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = installs root certificate |
| Invalid Signature | invalid_signature | This indicates that code may have been altered or corrupted since it was signed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = invalid signature |
| Kext Signature Validation Disabled | kext_signature_validation_disabled | Kext signature validation is a code signing requirement for all extensions and drivers located in the extensions folder. Disabling that feature may expose the system to unsigned rootkits or other malware. |
| Lateral Movement With Credentials Using Net Utility | lateral_movement_with_credentials_using_net_utility | This rule is looking for instance of 'net use' being leveraged with username and/or passwords being passed. This technique is leveraged when attackers gain access to a network and obtain credentials to use to laterally move from system to system. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc =lateral movement with credentials using net utility |
| LD Preload | ld_preload | Environment variables can be used to dynamically load a library in a process which can be used to intercept API calls from the running process. |
| Library Preferences Directory | library_preferences_directory | "Adversaries can use list of specific applications to run when a user logs in. These login items are stored in the users ~/Library/Preferences/ directory in a plist file called com.apple.loginitems.plist VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = library preferences directory" |
| Lists Anti-Spyware Products | lists_anti-spyware_products | Listing anti-spyware products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = lists anti-spyware products |
| Lists Antivirus Products | lists_antivirus_products | Listing antivirus products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = lists antivirus products |
| Lists Firewall Products | lists_firewall_products | Listing firewall products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = lists firewall products |
| Login Bypass Configured | login_bypass_configured | Accessibility features that may be launched with a key combination before a user has logged in . A login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = login bypass configured |
| LUA Disabled | lua_disabled | Windows User Account Controls (UAC) will not notify the user when programs try to make changes to the computer. UAC was formerly known as Limited User Account (LUA). This can be an attempt to bypass UAC. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = lua disabled |
| Mac Firewall Disabled | mac_firewall_disabled | Disabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. |
| Malicious File By Reputation Service | malicious_file_by_reputation_service | Files reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = malicious file by reputation service |
| Maps Administrative Share | maps_administrative_share | Mapping administrative share can be an indicator of someone trying for lateral movement or privilege escalation by using hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions |
| Maps IPC$ Share | maps_ipc$_share | Mapping IPC$ share can be an indicator of someone trying for lateral movement or privilege escalation by using hidden IPC$ shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = maps ipc$ share |
| Misleading File Extension | misleading_file_extension | Misleading file extension can be an indication of someone pretending to be an authorized file extension in order to gain access or to gain greater privileges than authorized. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = misleading file extension |
| Modifies Registry Using Command-Line Registry Tool | modifies_registry_using_command-line_registry_tool | Modifying registry using command-line registry tool can be an indication of adversaries trying to interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = modifies registry using command-line registry tool |
| Modifies Run Key | modifies_run_key | Modifying run key can be an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = modifies run key |
| Modifies Shell-Open-Command File Association | modifies_shell-open-command_file_association | File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access. Modifying shell-open-command file association can be an attempt to execute arbitrary commands in order to maintain persistence and remain undetected. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = modifies shell-open-command file association |
| Mshta Runs Command Prompt | mshta_runs_command_prompt | Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run a command prompt. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = mshta runs command prompt |
| Mshta Runs Powershell | mshta_runs_powershell | Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run powershell. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = mshta runs powershell |
| Mshta Runs Scripting Engine | mshta_runs_scripting_engine | Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to execute a scripting engine. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = mshta runs scripting engine |
| Mshta Writes Executable | mshta_writes_executable | Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to write an executable. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = mshta writes executable |
| Network Access | network_access | A process is trying to get network access. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = network access |
| No Antivirus Notification Disabled | no_antivirus_notification_disabled | Disabling no antivirus notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = no antivirus notification disabled |
| No Firewall Notification Disabled | no_firewall_notification_disabled | Disabling no firewall notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = no firewall notification disabled |
| No UAC Notification Disabled | no_uac_notification_disabled | Disabling no UAC notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = no uac notification disabled |
| No Windows Update Notification Disabled | no_windows_update_notification_disabled | Disabling no Windows update notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = no windows update notification disabled |
| Non-Microsoft Modifies Bad Certificate Warning Setting | non-microsoft_modifies_bad_certificate_warning_setting | Non-Microsoft modifing bad certificate warning setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies bad certificate warning setting |
| Non-Microsoft Modifies Firewall Policy | non-microsoft_modifies_firewall_policy | Non-Microsoft modifing firewall policy can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies firewall policy |
| Non-Microsoft Modifies Internet Zone Setting | non-microsoft_modifies_internet_zone_setting | Adding firewall rule can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies internet zone setting |
| Non-Microsoft Modifies LUA Setting | non-microsoft_modifies_lua_setting | Non-Microsoft modifing LUA setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies lua setting |
| Non-Microsoft Modifies Registry Editor Setting | non-microsoft_modifies_registry_editor_setting | Non-Microsoft modifing registry editor setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies registry editor setting |
| Non-Microsoft Modifies Security Center Config | non-microsoft_modifies_security_center_config | Non-Microsoft modifing security center config can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies security center config |
| Non-Microsoft Modifies Services ImagePath | non-microsoft_modifies_services_imagepath | Non-Microsoft modifing services ImagePath can be an indication of someone trying to modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies services imagepath |
| Non-Microsoft Modifies Task Manager Setting | non-microsoft_modifies_task_manager_setting | Non-Microsoft modifing task manager setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies task manager setting |
| Non-Microsoft Modifies Windows System Policy | non-microsoft_modifies_windows_system_policy | Non-Microsoft modifieing windows system policy can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies windows system policy |
| Non-Microsoft Modifies Zone Crossing Warning Setting | non-microsoft_modifies_zone_crossing_warning_setting | Non-Microsoft modifing zone crossing warning setting can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies zone crossing warning setting |
| Office Application Crashed | office_application_crashed | Microsoft Office application crashes can happen fairly frequently, but this may be interesting in combination with other indicators involving those applications. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application crashed |
| Office Application Injects Remote Process | office_application_injects_remote_process | A Microsoft Office application injecting a remote process may indicate a spearphishing attachment with a malicious payload. Process injection may enable an attacker to gain access to system resources or elevate privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application injects remote process |
| Office Application Runs BITS | office_application_runs_bits | A Microsoft Office application running Background Intelligent Transfer Service (BITS) may indicate a spearphishing attachment with a malicious payload. BITS may be used to exfiltrate data outside the environment. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs bits |
| Office Application Runs Command Prompt | office_application_runs_command_prompt | A Microsoft Office application running the command prompt may indicate a spearphishing attachment with a malicious payload has been executed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs command prompt |
| Office Application Runs Powershell | office_application_runs_powershell | A Microsoft Office application running powershell may indicate a spearphishing attachment with a malicious payload has been executed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs powershell |
| Office Application Runs Scripted FTP | office_application_runs_scripted_ftp | A Microsoft Office application running scripted FTP may indicate a spearphishing attachment with a malicious payload. FTP may be used to exfiltrate data outside the environment. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs scripted ftp |
| Office Application Runs Scripting Engine | office_application_runs_scripting_engine | A Microsoft Office application running a scripting engine may indicate a spearphishing attachment with a malicious payload has been executed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs scripting engine |
| Office Application Runs Task Scheduler | office_application_runs_task_scheduler | A Microsoft Office application running a job or scheduling a task may indicate a spearphishing attachment with a malicious payload. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs task scheduler |
| Office Application Runs WMI Scripting Engine | office_application_runs_wmi_scripting_engine | A Microsoft Office application running Windows Management Instrumentation (WMI) may indicate a spearphishing attachment with a malicious payload. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs wmi scripting engine |
| Office Application Writes Executable | office_application_writes_executable | A Microsoft Office application writing an executable may indicate a spearphishing attachment with a malicious payload. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application writes executable |
| Opens Browser Process | opens_browser_process | When a file not digitally signed by apple opens broswer process it might indicate adversary effort for process injection into browser. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = opens browser process |
| Opens OS Process | opens_os_process | This may indicate Process injection which is a method of executing arbitrary code in the address space of a separate live process. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = opens os process |
| Opens Process | opens_process | This may indicate Process injection which is a method of executing arbitrary code in the address space of a separate live process. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = opens process |
| OS Process Runs Command Shell | os_process_runs_command_shell | This rule will return any filtered Windows OS process launching either 'cmd.exe' or 'powershell.exe'. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = os process runs command shell |
| Outbound from Unsigned AppData Directory | outbound_from_unsigned_appdata_directory | This rule will return any unsigned filtered file name which has the source of a Windows "AppData" directory that establishes an outbound network connection. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = outbound from unsigned appdata directory |
| Outbound from Unsigned Temporary Directory | outbound_from_unsigned_temporary_directory | This rule will return any unsigned filtered file name which has the source of a Windows "Temp" directory that establishes an outbound network connection. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = outbound from unsigned temporary directory |
| Outbound from Windows Directory | outbound_from_windows_directory | This rule will return any unsigned filtered file name which has the source of the Windows root directory that establishes an outbound network connection. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = outbound from windows directory |
| Packed | packed | Malware may use packing applications to repackage itself frequently to evade threat detection solutions based on static signatures. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = packed |
| Packed And Autorun | packed_and_autorun | Adversaries use Software packing to compress or encrypt an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. To ensure persistence across reboots attackers configure to run those on system startup. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = packed and autorun |
| Packed And Network Access | packed_and_network_access | Adversaries use software packing to compress or encrypt an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. This file is trying to gain access to the network. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = packed and network access |
| Performs Scripted File Transfer | performs_scripted_file_transfer | Scripts may be used to transfer files over FTP during the course of an attack or for executing command and control instructions. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = performs scripted file transfer |
| Possible Login Bypass | possible_login_bypass | Accessibility features that may be launched with a key combination before a user has logged in . Possible login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = possible login bypass |
| Possible Mimikatz Activity | possible_mimikatz_activity | Mimikatz has become an extremely effective attack tool against Windows clients. Mimikatz activity can be a strong indication of someone trying to dump credentials locally or remotely using powershell Mimikatz tool to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = possible mimikatz activity |
| Possible RDP Session Hijacking | possible_rdp_session_hijacking | Possible RDP session hijacking can be indication of adversaries trying to connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence or perform RDP session hijacking which involves stealing a legitimate user's remote session. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = possible rdp session hijacking |
| Possibly Configures UAC Bypass | possibly_configures_uac_bypass | Configuring UAC can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = possibly configures uac bypass |
| Possibly Renamed net.exe Detected | possibly_renamed_net.exe_detected | Presence of renamed net.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = possibly renamed net.exe detected |
| Potential Outlook Exploit | potential_outlook_exploit | This rule looks for potential Outlook exploits that would leverage 'outlook.exe' launching any suspicious 'cmd.exe','powershell.exe','wscript.exe' or 'cscript.exe' VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = potential outlook exploit |
| PowerShell Command Using String Manipulation | powershell_command_using_string_manipulation | String manipulation can be used to obfuscate PowerShell commands to escape detection. These obfuscated commands can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = powershell command using string manipulation |
| PowerShell Double Base64 | powershell_double_base64 | This rule will return the double Base64 encoding scheme leveraged in a lot of PowerShell attacks to evade detection. VERSIONS SUPPORTED * NetWitness Platform 11.4 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = powershell double base64 |
| Powershell Injects Remote Process | powershell_injects_remote_process | Powershell injecting remote process can be an indication of someone trying to create and run malicious processes remotely, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = powershell injects remote process |
| Powershell Opens LSASS Process | powershell_opens_lsass_process | Powershell running LSASS process can be an indication of someone trying to dump credentials locally or remotely, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = powershell opens lsass process |
| Powershell Runs Command Prompt | powershell_runs_command_prompt | Powershell running command prompt can be an indication of someone trying to run malicious commands using to compromise the system or the user, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = powershell runs command prompt |
| Powershell Runs Scripting Engine | powershell_runs_scripting_engine | Powershell running scripting engine can be an indication of someone trying to run malicious scripts to compromise the system or the user, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = powershell runs scripting engine |
| Process Authorized In Firewall | process_authorized_in_firewall | Firewall allows process access based on details about the process and access control policy in use. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = process authorized in firewall |
| Process Redirects to STDOUT or STDERR | process_redirects_to_stdout_or_stderr | This will return any process event that contains the launch arguments '2>&1' which will redirect STDOUT and STDERR. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = process redirects to stdout or stderr |
| Psexesvc Runs Powershell | psexesvc_runs_powershell | Psexesvc running powershell can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = psexesvc runs powershell |
| Psexesvc Runs Scripting Engine | psexesvc_runs_scripting_engine | Psexesvc running scripting engine can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = psexesvc runs scripting engine |
| Psexesvc Runs Shell Commands | psexesvc_runs_shell_commands | Psexesvc running shell commands can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = psexesvc runs shell commands |
| Queries Cached Kerberos Tickets | queries_cached_kerberos_tickets | Querying cached kerberos tickets can be attempt to obtain account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = queries cached kerberos tickets |
| Queries Processes On Local System | queries_processes_on_local_system | Processing queries on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = queries processes on local system |
| Queries Processes On Remote System | queries_processes_on_remote_system | Processing queries on remote system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = queries processes on remote system |
| Queries Registry Using Command-Line Registry Tool | queries_registry_using_command-line_registry_tool | Querying registry using command-line registry tool can be an indication of adversaries trying to interact with the Windows Registry to gather information about the system, configuration, and installed software. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = queries registry using command-line registry tool |
| Queries Terminal Sessions | queries_terminal_sessions | Querying terminal sessions can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = queries terminal sessions |
| Queries Users Logged On Local System | queries_users_logged_on_local_system | Querying users logged on local system can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = queries users logged on local system |
| Queries Users Logged On Remote System | queries_users_logged_on_remote_system | Querying users logged on remote system can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = queries users logged on remote system |
| RDP Launching Loopback Address | rdp_launching_loopback_address | This rule detects an attempt to setup RDP over an SSH tunnel. A compromised system could be using localhost to forward an RDP session to itself for use by an attacker. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = rdp launching loopback address |
| Record Screen Captures Using PSR Tool | record_screen_captures_using_psr_tool | Recording screen captures using PSR tool can be an indicator of an adversaries attempting to take screen captures of the desktop to gather information over the course of an operation. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = record screen captures using psr tool |
| Registers Shim Database | registers_shim_database | Microsoft Windows Application Compatibility Toolkit (ACT) enables shims to be used to provide backwards compatibility for older versions of Windows or legacy applications. Malicious actors may use shims to gain persistence or elevate privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = registers shim database |
| Registry Tools Disabled | registry_tools_disabled | An administrative user has disabled access to the registry editor. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = registry tools disabled |
| Regsvr32 Creates Windows Task | regsvr32_creates_windows_task | Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. Regsvr32 creating a windows task could allow an attacker to gain control of the system by running malicious code. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = regsvr32 creates windows task |
| Regsvr32 Runs Powershell | regsvr32_runs_powershell | Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = regsvr32 runs powershell |
| Regsvr32 Runs Rundll32 | regsvr32_runs_rundll32 | Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. This rule detects unusual behavior in the form of registration and run of a DLL in the same command. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = regsvr32 runs rundll32 |
| Regsvr32 Writes Executable | regsvr32_writes_executable | Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. Regsvr32 writing an executable could indicate delivery of a backdoor to the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = regsvr32 writes executable |
| Remote Directory Traversal | remote_directory_traversal | Adversary can enumerate remote share directory and files. This can be used for reconnaissance, discovery and collection. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = remote directory traversal |
| RPM Hash Mismatch | rpm_hash_mismatch | A hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate. |
| RPM Hash Mismatch In Important System Directory | rpm_hash_mismatch_in_important_system_directory | A hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate. |
| RPM Ownership Changed | rpm_ownership_changed | This rule will trigger for any changes in ownership of executable linked to RPM installations. Adversaries can use changed permissions for evading defenses implemented by access controls. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = rpm ownership changed |
| RPM Permissions Changed | rpm_permissions_changed | This rule will trigger for any changes in permissions of executable linked to RPM installations. Adversaries can use changed permissions for evading defenses implemented by access controls. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = rpm permissions changed |
| Rundll32 Creates Windows Task | rundll32_creates_windows_task | Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = rundll32 creates windows task |
| Rundll32 Runs Powershell | rundll32_runs_powershell | Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = rundll32 runs powershell |
| Runs ACL Management Tool | runs_acl_management_tool | Running ACL management tool can be an indication of someone trying to run multiple malicious commands needed to perform multi-stage attack to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs acl management tool |
| Runs Active Directory Service Query Tool | runs_active_directory_service_query_tool | Running active directory service query can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs active directory service query tool |
| Runs Binary Located In Recycle Bin Directory | runs_binary_located_in_recycle_bin_directory | A technique has been used by malware authors where a malicious file or process is invoked and running out of the $RECYCLE.BIN folder on Windows systems. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs binary located in recycle bin directory |
| Runs Binary Located In Root Of Logical Drive | runs_binary_located_in_root_of_logical_drive | While the majority of programs are stored in folders on a system, it is uncommon to see a binary in the root of "C:" directory. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = runs binary located in root of logical drive |
| Runs Binary Located In Root Of Program Directory | runs_binary_located_in_root_of_program_directory | With the ProgramData being hidden in Windows by default, the main use of this folder is for application data that is not user specific, meaning that it applies to "All Users". If malware was to be placed here, it would run on any user that would log into the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = runs binary located in root of program directory |
| Runs Binary Located In Root Of Users Directory | runs_binary_located_in_root_of_users_directory | While the majority of programs are stored in folders on a system, it is uncommon to see a binary in the root of a users home directory and is sometimes used by malware. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = runs binary located in root of users directory |
| Runs Binary Located In System Volume Information Directory | runs_binary_located_in_system_volume_information_directory | VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs binary located in system volume information directory |
| Runs Blacklisted File | runs_blacklisted_file | An analyst may mark files as blacklisted within NetWitness Endpoint. If actions on an endpoint involve those blacklisted files as the destination process, then this rule will trigger. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs blacklisted file |
| Runs Certutil With Decode Arguments | runs_certutil_with_decode_arguments | Windows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Running certutil with decode argument can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs certutil with decode arguments |
| Runs Certutil With Encode Arguments | runs_certutil_with_encode_arguments | Windows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Running certutil with encode argument can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs certutil with encode arguments |
| Runs Certutil With Hashfile Arguments | runs_certutil_with_hashfile_arguments | Windows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Running certutil with hashfile argument can be an indication of someone trying to obfuscate malicious files to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs certutil with hashfile arguments |
| Runs Chained Command Shell | runs_chained_command_shell | Running chained command shell can be an indication of someone trying to run multiple malicious commands needed to perform multi-stage attack to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs chained command shell |
| Runs Chmod | runs_chmod | Chmod is used to modify file and directory permissions. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs chmod |
| Runs Credential Dumping Tools | runs_credential_dumping_tools | Running credential dumping tools can be indication of someone trying to bypass all credentials checks to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = loads credential dumping library |
| Runs Curl | runs_curl | Curl is used in command lines or scripts to transfer data via URLs. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs curl |
| Runs Ditto | runs_ditto | Ditto copies files and directories from the Mac terminal. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs ditto |
| Runs DNS Lookup Tool | runs_dns_lookup_tool | Running nslookup.exe can be used to get information about the Domain Name System (DNS) being used by the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = runs dns lookup tool |
| Runs File Attributes Modification Tool | runs_file_attributes_modification_tool | Running file attributes modification tool can be an indication of adversaries trying use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs file attributes modification tool |
| Runs File Transfer Tool | runs_file_transfer_tool | Running a file transfer program can be an indication of an adversary potentially performing data exfiltration to an off site location VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs file transfer tool |
| Runs forfiles.exe | runs_forfiles.exe | Runnnig forfiles.exe can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs forfiles.exe |
| Runs Graylisted File | runs_graylisted_file | An analyst may mark files as graylisted within NetWitness Endpoint. If actions on an endpoint involve those graylisted files as the destination process, then this rule will trigger. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs graylisted file |
| Runs Ifconfig | runs_ifconfig | The ifconfig utility is used to assign an address to a network interface or configure network interface parameters. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs ifconfig |
| Runs Kextload | runs_kextload | The kextload program is used to load kernel extensions (kexts). For most kexts, kextload must run as the superuser. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs kextload |
| Runs Kextstat | runs_kextstat | Display status of loaded kernel extensions (kexts). VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs kextstat |
| Runs Launchctl | runs_launchctl | Launchctl is used to control services. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs launchctl |
| Runs Malicious File By Reputation Service | runs_malicious_file_by_reputation_service | Files reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = runs malicious file by reputation service |
| Runs Mshta With HTTP Argument | runs_mshta_with_http_argument | Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run with an HTTP argument. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs mshta with http argument |
| Runs Mshta With Script Argument | runs_mshta_with_script_argument | Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run with a script argument. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs mshta with script argument |
| Runs Msiexec with HTTP Argument | runs_msiexec_with_http_argument | Windows Installer msiexec, with HTTP can be used to download and install or modify malicious applications through command line. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs msiexec with http argument |
| Runs Netstat | runs_netstat | Netstat is a network utility tool that can be used to discover network topology, statistics and performance information. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs netstat |
| Runs Network Configuration Tool | runs_network_configuration_tool | Netsh.exe is a command-line utility that will allow someone to display or change the network configuration of local or remote computer VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = runs network configuration tool |
| Runs Network Connectivity Tool | runs_network_connectivity_tool | Running network connectivity tool can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs network connectivity tool |
| Runs One Letter Executable | runs_one_letter_executable | A single letter file can be a potential indicator of malware or an attacker tool. When an attacker has remote access to a machine, they want to limit the amount of typing needed and will at times name a script or program to a single letter to allow quicker access. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs one letter executable |
| Runs One Letter Script | runs_one_letter_script | A single letter file can be a potential indicator of malware or an attacker tool. When an attacker has remote access to a machine, they want to limit the amount of typing needed and will at times name a script or program to a single letter to allow quicker access. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs one letter script |
| Runs Ping | runs_ping | Ping is used to see if a host is reachable on a network. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs ping |
| Runs Powershell | runs_powershell | Common cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs powershell |
| Runs Powershell Bypassing Execution Policy | runs_powershell_bypassing_execution_policy | Running powershell bypassing execution policy will ignore the execution policy restrictions to run commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs powershell bypassing execution policy |
| Runs Powershell Decoding Base64 String | runs_powershell_decoding_base64_string | Running powershell decoding base64 string can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs powershell decoding base64 string |
| Runs Powershell Defining Function | runs_powershell_defining_function | Running powershell defining functions can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs powershell defining function |
| Runs Powershell Downloading Content | runs_powershell_downloading_content | Attackers mainly use PowerShell as a downloader on windows based systems. Running powershell downloading content can be an indication of someone trying to download malicious payloads from internet to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs powershell downloading content |
| Runs Powershell Invoke-Mimikatz Function | runs_powershell_invoke-mimikatz_function | Mimikatz has become an extremely effective attack tool against Windows clients. Running powershell Invoke-Mimikatz function is an indication of someone trying to use Mimikatz to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = runs powershell invoke-mimikatz function |
| Runs Powershell Memory Stream Function | runs_powershell_memory_stream_function | Running powershell memory stream function can be an indication of someone trying to execute malicious I/O commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs powershell memory stream function |
| Runs Powershell ShellExecute Function | runs_powershell_shellexecute_function | Running powershell ShellExecute function can be an indication of someone trying to execute malicious shell code to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs powershell shellexecute function |
| Runs Powershell Using Encoded Command | runs_powershell_using_encoded_command | Running powershell using encoded command can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs powershell using encoded command |
| Runs Powershell Using Environment Variables | runs_powershell_using_environment_variables | Running powershell using environment variables can be an indication of someone trying to run malicious commands with particular variables like path to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs powershell using environment variables |
| Runs Powershell With Hidden Window | runs_powershell_with_hidden_window | Running powershell with hidden window can be an indication of someone trying to run malicious commands in stealth mode so that powershell window is not visible to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs powershell with hidden window |
| Runs Powershell With HTTP Argument | runs_powershell_with_http_argument | Running powershell with HTTP argument can be an indication of someone trying to connect and render malicious commands/downloaders from internet, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs powershell with http argument |
| Runs Powershell With Long Arguments | runs_powershell_with_long_arguments | Running powershell with long arguments can be an indication of someone trying to run malicious powershell commands, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs powershell with long arguments |
| Runs Ps | runs_ps | Can be used to access process status information. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs ps |
| Runs PSEXEC On Remote System And Silently Accepts User License | runs_psexec_on_remote_system_and_silently_accepts_user_license | Running PSEXEC on remote system and silently accepting user license can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs psexec on remote system and silently accepts user license |
| Runs PSEXEC On Remote System As SYSTEM User | runs_psexec_on_remote_system_as_system_user | Running PSEXEC on remote system as SYSTEM user can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs psexec on remote system as system user |
| Runs Registry Tool | runs_registry_tool | Running the registry tool can be an indication of malware changing settings, adding persistence or lowering security of a system VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = runs registry tool |
| Runs Regsvr32 COM Scriplets | runs_regsvr32_com_scriplets | Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs regsvr32 com scriplets |
| Runs Regsvr32 Using One Letter DLL | runs_regsvr32_using_one_letter_dll | Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. One letter DLLs are atypical and could be a signature of an attacker. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs regsvr32 using one letter dll |
| Runs Regsvr32 With HTTP Argument | runs_regsvr32_with_http_argument | Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. Regsvr32 communicating over HTTP could indicate command and control behavior. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs regsvr32 with http argument |
| Runs Regsvr32 Without Arguments | runs_regsvr32_without_arguments | Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs regsvr32 without arguments |
| Runs Remote Execution Tool | runs_remote_execution_tool | Running remote execution tool can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs remote execution tool |
| Runs Remote Powershell Command | runs_remote_powershell_command | Running remote powershell command can be an indication of someone trying to run malicious powershell commands remotely, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs remote powershell command |
| Runs robocopy.exe | runs_robocopy.exe | Running robocopy.exe can be indication of an adversary trying to use automated techniques for collecting internal data. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs robocopy.exe |
| Runs Rundll32 Using One Letter DLL | runs_rundll32_using_one_letter_dll | Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. One letter DLLs are atypical and could be a signature of an attacker. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs rundll32 using one letter dll |
| Runs Rundll32 With HTTP Argument | runs_rundll32_with_http_argument | Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs rundll32 with http argument |
| Runs Rundll32 With Javascript Argument | runs_rundll32_with_javascript_argument | Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = runs rundll32 with javascript argument |
| Runs Rundll32 Without Arguments | runs_rundll32_without_arguments | Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs rundll32 without arguments |
| Runs Scripting Engine | runs_scripting_engine | Running scripting engine can be an indication of someone trying to run malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs scripting engine |
| Runs Scripting Engine In Batch Mode Using Execution Engine Argument | runs_scripting_engine_in_batch_mode_using_execution_engine_argument | Running scripting engine in batch mode using execution engine argument can be an indication of someone trying to run malicious commands in command-line environment to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs scripting engine in batch mode using execution engine argument |
| Runs Service Control Tool | runs_service_control_tool | Running the SC tool will allow the creation, deletion, query of a Windows service from the command-line VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = runs service control tool |
| Runs Sh | runs_sh | Utility used to run shell scripts VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs sh |
| Runs Shim Database Installer | runs_shim_database_installer | Microsoft Windows Application Compatibility Toolkit (ACT) enables shims to be used to provide backwards compatibility for older versions of Windows or legacy applications. Malicious actors may use shims to gain persistence or elevate privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs shim database installer |
| Runs Suspicious File By Reputation Service | runs_suspicious_file_by_reputation_service | Files reported as suspicious by reputation service indicates execution of files and hashes of which are tagged as suspicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = runs suspicious file by reputation service |
| Runs Tar | runs_tar | Indicates a tar archive is being created. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs tar |
| Runs Tasks Management Tool | runs_tasks_management_tool | Running at.exe or schtask.exe allows a script, program or command to be executed at a specific date and time. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = runs tasks management tool |
| Runs Unzip | runs_unzip | An archive file is being extracted with unzip tool. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs unzip |
| Runs waitfor.exe | runs_waitfor.exe | Running waitfor.exe can be indication of someone trying to compromise the integrity of the security solution by adding unexpected dealys, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs waitfor.exe |
| Runs WMI Command-Line Tool | runs_wmi_command-line_tool | WMIC.exe provides command-line interface that interacts with WMI (Windows Management Instrumentation) VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs wmi command-line tool |
| Runs WMI Scripting Engine | runs_wmi_scripting_engine | Windows Management Instrumentation (WMI) is used to access management information in an enterprise environment for both local and remote systems. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = runs wmi scripting engine |
| Runs xcopy.exe | runs_xcopy.exe | Running xcopy.exe can be indication of an adversary trying to use automated techniques for collecting internal data. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = runs xcopy.exe |
| Safari Fraud Website Warning Disabled | safari_fraud_website_warning_disabled | Safari warns you if the site you're visiting is a suspected phishing website. Disabling this setting may put your personal information at risk as you would lose visibility into sites masquerading as legitimate ones. |
| Scripting Addition In Process | scripting_addition_in_process | A scripting addition is a code library, loaded by the AppleScript scripting component instance, that implements vocabulary extending the AppleScript language. On Mac OS X the supplied osaxen live in /System/Library/ScriptingAdditions; the user may add osaxen to /Library/ScriptingAdditions or to ~/Library/ScriptingAdditions, according to the domain of their desired availability. |
| Scripting Engine Injects Remote Process | scripting_engine_injects_remote_process | Scripting engine injecting remote process can be an indication of someone trying to create and run malicious processes to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = scripting engine injects remote process |
| Scripting Engine Runs Powershell | scripting_engine_runs_powershell | Common cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Scripting engine Running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = scripting engine runs powershell |
| Scripting Engine Runs Regsvr32 | scripting_engine_runs_regsvr32 | Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Scripting engine runs regsvr32 can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = scripting engine runs regsvr32 |
| Scripting Engine Runs Rundll32 | scripting_engine_runs_rundll32 | Scripting engine running rundll32 process can be an indication of someone trying to run malicious DLLs and placing its libraries in the memory to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = scripting engine runs rundll32 |
| Self Signed | self_signed | A self-signed certificate is one signed with its own private key. This is atypical since a digital signature generally would be received from a certificate authority (CA). VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = self signed |
| Services In ProgramData Directory | services_in_programdata_directory | Services running out of a hidden directory indicates defense measures to hide malicious execution. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = services in programdata directory |
| Services Runs Command Shell | services_runs_command_shell | Services running command shell can be an indication of someone trying to create and run malicious processes to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = services runs command shell |
| Smartscreen Filter Disabled | smartscreen_filter_disabled | Disabling smartscreen filter can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = smartscreen filter disabled |
| Starts Local Service | starts_local_service | Starting local service can be an indication of someone trying to create and run malicious services to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = starts local service |
| Starts RDP Service | starts_rdp_service | Starting RDP service can be indication of adversaries trying to connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence or perform RDP session hijacking which involves stealing a legitimate user's remote session. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = starts rdp service |
| Starts Remote Service | starts_remote_service | Starting remote service can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = starts remote service |
| Stops Error Reporting Service | stops_error_reporting_service | Stopping error reporting service can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = stops error reporting service |
| Stops Security Service | stops_security_service | Stopping security service can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = stops security service |
| Stops Windows Update Service | stops_windows_update_service | Stopping windows update service can be a indication of someone trying to compromise the integrity of the security solution by not updating latest security updates and letting system vulnerable, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = stops windows update service |
| Sudo No Password Prompt | sudo_no_password_prompt | The sudo user allows you to run programs with the security privileges of another user or, if no username is specified, as the superuser with root privileges. Adversaries can take advantage of this configuration to execute commands as other users or spawn processes with higher privileges. You must have elevated privileges to edit this file. |
| Suspicious File By Reputation Service | suspicious_file_by_reputation_service | Files reported as suspicious by reputation service indicates execution of files and hashes of which are tagged as suspicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = suspicious file by reputation service |
| Suspicious REGSVR32.EXE Task | suspicious_regsvr32.exe_task | Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = suspicious regsvr32.exe task |
| System Integrity Protection Disabled | system_integrity_protection_disabled | The feature for System Integrity Protection introduced in Mac OS 10.11 is intended to prevent malware from modifying protected system locations.Some low-level utilities may only function if they have unrestricted access to the file system and could be a legitimate reason for disabling the feature. However, even power users would generally have no reason to disable this setting and it would be considered a very suspicious behavior. |
| System Restore Disabled | system_restore_disabled | Disabling system restore can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = system restore disabled |
| Task Manager Disabled | task_manager_disabled | Task Manager provides information about processes running on your system and their memory use. Disabling task manager may prevent a user from seeing anomalous processes. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = task manager disabled |
| Tasks In ProgramData Directory | tasks_in_programdata_directory | Tasks running out of a hidden directory indicates defense measures to hide malicious execution. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = tasks in programdata directory |
| Terminates Process | terminates_process | Terminating process can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = terminates process |
| Transfers File Using BITS | transfers_file_using_bits | Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = transfers file using bits |
| UAC Disabled | uac_disabled | Disabling UAC can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = uac disabled |
| Unexpected csrss.exe Parent | unexpected_csrss.exe_parent | Presence of unexpected csrss.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected csrss.exe parent |
| Unexpected Explorer.exe Destination Location | unexpected_explorer.exe_destination_location | Explorer.exe at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for. |
| Unexpected explorer.exe Parent | unexpected_explorer.exe_parent | Presence of unexpected explorer.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected explorer.exe parent |
| Unexpected Explorer.exe Source Location | unexpected_explorer.exe_source_location | Explorer.exe at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for. |
| Unexpected lsass.exe Parent | unexpected_lsass.exe_parent | Presence of unexpected lsass.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected lsass.exe parent |
| Unexpected lsm.exe Parent | unexpected_lsm.exe_parent | Presence of unexpected lsm.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected lsm.exe parent |
| Unexpected msdtc.exe Parent | unexpected_msdtc.exe_parent | Presence of unexpected msdtc.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected msdtc.exe parent |
| Unexpected OS Process Destination Location | unexpected_os_process_destination_location | An OS process at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for. |
| Unexpected OS Process Source Location | unexpected_os_process_source_location | An OS process at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for. |
| Unexpected runtimebroker.exe Parent | unexpected_runtimebroker.exe_parent | Presence of unexpected runtimebroker.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected runtimebroker.exe parent |
| Unexpected services.exe Parent | unexpected_services.exe_parent | Presence of unexpected services.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected services.exe parent |
| Unexpected smss.exe Parent | unexpected_smss.exe_parent | Presence of unexpected smss.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected smss.exe parent |
| Unexpected Svchost Arguments | unexpected_svchost_arguments | Presence of unexpected svchost arguments can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected svchost arguments |
| Unexpected svchost.exe Parent | unexpected_svchost.exe_parent | Presence of unexpected svchost.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected svchost.exe parent |
| Unexpected taskhostw.exe Parent | unexpected_taskhostw.exe_parent | Presence of unexpected taskhostw.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected taskhostw.exe parent |
| Unexpected wininit.exe Parent | unexpected_wininit.exe_parent | Presence of unexpected wininit.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected wininit.exe parent |
| Unexpected winlogon.exe Parent | unexpected_winlogon.exe_parent | Presence of unexpected winlogon.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unexpected winlogon.exe parent |
| Unknown Segment | unknown_segment | Unknown segment within a file that should be examined for malicious injection. |
| Unsigned Copies Self | unsigned_copies_self | A file copies itself as detected by checksum. A worm may self-replicate and spread infection. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned copies self |
| Unsigned Creates Remote Thread | unsigned_creates_remote_thread | A file that is unsigned or with an invalid signature is trying to create a remote thread into a process. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = unsigned creates remote thread |
| Unsigned Creates Remote Thread And File Hidden | unsigned_creates_remote_thread_and_file_hidden | This rule will return any unsigned and hidden files that leverage the Windows API "CreateRemoteThread" functionality. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned creates remote thread and file hidden |
| Unsigned Cron Job | unsigned_cron_job | The software utility cron is used to schedule jobs (commands or scripts) to run periodically. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned cron job |
| Unsigned Deletes Self | unsigned_deletes_self | A file deletes itself as detected by checksum. Malware may be attempting to hide its spread through the network. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned deletes self |
| Unsigned Kext | unsigned_kext | Kext signature validation is a code signing requirement for all extensions and drivers located in the extensions folder. A file that is unsigned should be examined as possible malware. |
| Unsigned Library In Suspicious Daemon | unsigned_library_in_suspicious_daemon | This rule will trigger for OS MAC if an unsigned library is found associated with a suspicious daemon. Adversaries can inject libraries to be run in background processes like daemon for persistence and evasion. VERSIONS SUPPORTED * NetWitness Platform 11.4 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = unsigned library in suspicious daemon |
| Unsigned Module In Signed Process | unsigned_module_in_signed_process | All threads spawned from a signed process should also be signed. An unsigned module may indicate process injection. Malware commonly utilizes process injection to access system resources through which persistence and other environment modifications can be made. |
| Unsigned Opens LSASS | unsigned_opens_lsass | This rule will return any unsigned filename which opens/accesses the Windows OS process 'lsass.exe'. This type of activity can be indicitivate of credential stealers. VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned opens lsass |
| Unsigned Reserved Name | unsigned_reserved_name | VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = unsigned reserved name |
| Unsigned Runs Python | unsigned_runs_python | An unsigned process is running a python script. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned runs python |
| Unsigned Writes Executable | unsigned_writes_executable | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned writes executable |
| Unsigned Writes Executable To AppDataLocal Directory | unsigned_writes_executable_to_appdatalocal_directory | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = unsigned writes executable to appdatalocal directory |
| Unsigned Writes Executable To AppDataRoaming Directory | unsigned_writes_executable_to_appdataroaming_directory | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = unsigned writes executable to appdataroaming directory |
| Unsigned Writes Executable To Library Application Support Directory | unsigned_writes_executable_to_library_application_support_directory | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned writes executable to library application support directory |
| Unsigned Writes Executable To Library Directory | unsigned_writes_executable_to_library_directory | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned writes executable to library directory |
| Unsigned Writes Executable To Library Preferences Directory | unsigned_writes_executable_to_library_preferences_directory | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned writes executable to library preferences directory |
| Unsigned Writes Executable To Scripting Additions Directory | unsigned_writes_executable_to_scripting_additions_directory | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned writes executable to scripting additions directory |
| Unsigned Writes Executable To System Directory | unsigned_writes_executable_to_system_directory | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned writes executable to system directory |
| Unsigned Writes Executable To Var Directory | unsigned_writes_executable_to_var_directory | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned writes executable to var directory |
| Unsigned Writes Executable To Windows Directory | unsigned_writes_executable_to_windows_directory | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = unsigned writes executable to windows directory |
| Unsigned Writes To Autorun | unsigned_writes_to_autorun | An unsigned process is writing to autorun. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = unsigned writes to autorun |
| Uses LibNSS | uses_libnss | Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = uses libnss |
| Uses LibPCAP | uses_libpcap | LibPCAP may be used by an attacker to intercept network traffic. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = uses libpcap |
| Uses Mach Injection | uses_mach_injection | Mach_inject is a C library that enables you to inject code into an arbitrary process on Mac OS X. Injection means copying over the necessary code into the target's address space and remotely creating a new thread to execute the code. |
| Uses Mach Override | uses_mach_override | Mach_override is a C library to override one C function with another on Mac OS X. |
| Warning On Post Redirect Disabled | warning_on_post_redirect_disabled | Disabling warning on post redirect can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = warning on post redirect disabled |
| Windows Firewall Disabled | windows_firewall_disabled | Disabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. |
| Windows Task Runs Powershell | windows_task_runs_powershell | Windows task running powershell can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = windows task runs powershell |
| Windows Update Disabled | windows_update_disabled | Disabling windows update can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = windows update disabled |
| WMIC Remote Node Activity | wmic_remote_node_activity | This rule returns instance of the Windows OS process 'wmic.exe' being leveraged with the '/node' parameter. With the proper credentials leveraged an attacker can get information about a system VERSIONS SUPPORTED * NetWitness Platform 11.3 (Investigation Only) * NetWitness Platform 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = wmic remote node activity |
| Wmiprvse Runs Command Shell | wmiprvse_runs_command_shell | Windows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. Wmiprvse running command shell can be an indication of someone trying to run malicious commands in cmd.exe to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = wmiprvse runs command shell |
| Wmiprvse Runs Powershell | wmiprvse_runs_powershell | Common cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Wmiprvse running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = wmiprvse runs powershell |
| Wmiprvse Runs Scripting Engine | wmiprvse_runs_scripting_engine | Windows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. Wmiprvse running scripting engine can be an indication of someone trying to run malicious scripts to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = wmiprvse runs scripting engine |
| Writes Blacklisted File | writes_blacklisted_file | An analyst may mark files as blacklisted within NetWitness Endpoint. If actions on an endpoint involve those blacklisted files being written, then this rule will trigger. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = writes blacklisted file |
| Writes Executable To Recycle Bin Directory | writes_executable_to_recycle_bin_directory | A technique has been used by malware authors where a malicious file or process is invoked and running out of the $RECYCLE.BIN folder on Windows systems. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = writes executable to recycle bin directory |
| Writes Executable To Root Of Logical Drive | writes_executable_to_root_of_logical_drive | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = writes executable to root of logical drive |
| Writes Executable To Root Of Program Directory | writes_executable_to_root_of_program_directory | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = writes executable to root of program directory |
| Writes Executable To Root Of Users Directory | writes_executable_to_root_of_users_directory | A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = writes executable to root of users directory |
| Writes Executable To System Volume Information Directory | writes_executable_to_system_volume_information_directory | VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = writes executable to system volume information directory |
| Writes Graylisted File | writes_graylisted_file | An analyst may mark files as graylisted within NetWitness Endpoint. If actions on an endpoint involve those graylisted files being written, then this rule will trigger. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = writes graylisted file |
| Writes Malicious File By Reputation Service | writes_malicious_file_by_reputation_service | Files reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = writes malicious file by reputation service |
| Writes Suspicious File By Reputation Service | writes_suspicious_file_by_reputation_service | Files reported as suspicious by reputation service indicates execution of files and hashes of which are tagged as suspicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = writes suspicious file by reputation service |
You are here
Table of Contents > RSA Application Rules for Endpoint