RSA NetWitness Endpoint Hunting

Document created by Craig Hansen Employee on Feb 4, 2016Last modified by Elizabeth Maloney on May 1, 2017
Version 12Show Document
  • View in full screen mode

Register Now




In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us


This on-demand learning presents adaptive techniques for security teams proactively seeking to detect, understand, and disrupt coordinated intrusions with RSA NetWitness Endpoint.



This self-paced on-demand learning presents techniques prescribed by security analysts for employing RSA NetWitness Endpoint to locate sophisticated targeted attacks. Finding known malware and obviously malicious behavior is easy with this tool’s Instant Indicators of Compromise, but sophisticated intrusions can be far more challenging. Indicators of specific exploits and threats, such as common keylogging
techniques, are detailed.




Security analysts using RSA NetWitness Endpoint to locate suspicious files, processes, and activity on an organization’s endpoint computers.


Delivery Type

On-Demand Learning



2 hours


Prerequisite Knowledge/Skills

Students should have completed the RSA NetWitness Endpoint Fundamentals eLearning prior to viewing this course. Experienced analysis with at least six month of real-world security analysis with NetWitness Endpoint is recommended.


Learning Objectives

Upon successful completion of this course, participants should be able to:

  • Request a scan and interpret the results
  • Perform file analysis without alerting adversaries
  • Evaluate threats based on frequency of file occurrence
  • Customize an Instant Indicator of Compromise
  • Create a custom Yara rule to adapt hunting technique to latest findings
  • Use behavior filters to identify new threats
  • Review key Instant Indicators of Compromise
  • Obtain and analyze MFT file from endpoint system
  • Perform Direct Database Queries


Course Outline

  1. Overview
    • Why Hunt?
    • NetWitness Endpoint Architecture
    • Endpoint Threat Detection
    • Daily Analyst Responsibilities
  2. Functionality
    • Instant Indicators of Compromise
    • Understanding Key IIOCs
      1. Hidden Modules and Floating Code
      2. Reserved Locations and EXE Execution
      3. Unsigned Modules and Other Characteristics
    • Scans
    • Yara Pattern Matching
  3. The Cyber Kill Chain
    • Timeline of Typical Attack
    • Detecting Entrenchment
    • Detecting Lateral Movement
    • Detecting Data Exfiltration
  4. File Analysis
    • Downloading a Module from Endpoint
    • A Secure File Analysis Environment
    • File Analysis Within NetWitness Endpoint
    • Other Analysis Options
  5. Hunting Techniques
    • Hunting with IIOCs
      1. Webshells Example
      2. Scan Data Example
    • Custom IIOC Creation
    • Hunting with Global Modules Window
    • Custom Yara Rule Creation
  6. Forensics
    • NTFS Timestamps
    • MFT Analysis
      1. Obtaining the Endpoint MFT
    • Global File Retrieval
  7. Specialized Hunting Techniques
    • Direct NetWitness Endpoint Database Queries

Register Now




In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us