RSA Application Rules

Document created by RSA Information Design and Development on Oct 28, 2016Last modified by RSA Information Design and Development on Oct 22, 2018
Version 148Show Document
  • View in full screen mode
 

The following table lists all of the delivered RSA Application Rules.

Note: For content that has been discontinued, see Discontinued Content.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
Display NameFile NameDescriptionMediumTags
Archive Extension Mismatchnw20080creates meta when a rar or zip file is detected without a rar or zip file extensionpacketevent analysis, file analysis, operations
Archive From IP Addressnw20085archive directly from an ip address with no corresponding alias.host meta. Often indicative of a second stage tool download after a foothold has been established.packetattack phase, delivery, threat
Attachment Overloadnw00005Rule looks for more than 4 attachments in a single session.packetevent analysis, file analysis, operations
Bozok RAT Acquisitionnw90001Detects web traffic from an internal IP address to the following URL: http://ss-rat.blogspot.com.log, packetmalware, remote access trojans, threat
BYOD Mobile Web Agent Detectednw110125Detects use of a web browsing agent for a mobile device. The following is the list of strings looked for within the "client" meta key to indicate mobile browsing: "iPad", "iPhone", "iPod", "Android", "BlackBerry", "Mobile", "Opera Mobi", "Opera Mini", "Symbian", "GoBrowser", "Minimo", "Netfront", "Skyfire", "SEMC-Browser".log, packetassurance, compliance, corporate
Cerber Ransomwarenw22350Detects a set of pay-site hosts for Cerber ransomware that correlate to embedded configuration files for the malware's set up of bitcoin wallets for each victim. This rule matches when the 'alias.host' (packet) or 'fqdn' (web logs) begins with one of the identified pay-sites.

Reference these RSA Link blog posts from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2016/09/27/the-evolution-of-cerber
https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410

Dependencies:
- (Packet) HTTP_lua parser
- (Logs) At least one web log event source - September 2016 or later release. Prior to 10.6.2, the Envision Config File from Live for the FQDN meta key configuration.

Meta Keys:
- Risk Warning = cerber ransomware
- Indicators of Compromise = cerber ransomware
log, packetfeatured, crimeware, malware, threat
Cisco ASA Software IKEv1 and IKEv2 Buffer Overflownw125025Customers who deploy either Cisco IPS or SourceFire Defense Center may benefit from this log-based Application Rule written to detect indicators to CVE-2016-1287: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow.

SourceFire signature IDs utilized to detect this vulnerability are '1:36903' and '1:37674' while Cisco IPS signature IDs are 7169-0 and 7169-1.
logattack phase, exploit, threat
Cmstar Malwarenw22310Detects malicious traffic between command and control server and custom downloader cmstart variants. Either the HTTP_lua or HTTP native parser is required.

Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2015/09/30/detecting-cmstar-variants-using-security-analytics
packetmalware, threat, remote access trojans
CryptoShield Ransomwarenw22380CryptoShield ransomware is being distributed through sites that have been compromised so that when a visitor goes to the site, they will encounter the attack chain. Once the ransomware is executed on the victim's computer, it will generate a unique ID for the victim and an encryption key. This rule detects the upload of this key to the command and control server.

DEPENDENCIES
Lua Parsers:
* HTTP_lua
* Form_Data_lua
* traffic_flow
Feeds:
* NetWitness

GENERATED META KEYS
* ioc = cryptoshield ransomware
* inv.category = threat
* inv.context = malware, crimeware
packetcrimeware, malware, threat
Cybergate RAT Downloadnw110145Detects an internal network session download of the CyberGate RAT.A network parser that supports population of meta keys of "action" and "filename" is required.Examples of such network parsers are HTTP, FTP, IRC and NFS.packetmalware, remote access trojans, threat
Daserf Malwarenw22315Detects malicious inbound and outbound traffic between backdoor/malware Daserf variants and command and control server domain over HTTP. The HTTP_lua parser is a required dependency.

Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/09/28/detecting-daserf-variants-using-security-analytics
packetmalware, threat, remote access trojans
DNS Hostnames Resolving Non-Routable IPnw30010DNS names that resolve to non-routable IP address. Often used on parked domains.packetevent analysis, operations, protocol analysis
DNS Over Non-Standard Portnw60005DNS traffic over ports other than udp 53packetevent analysis, operations, protocol analysis
Dreambot Malwarenw22375The Dreambot is a banking trojan spreading via exploit kits and spam e-mails with tor communication and peer-to-peer functionality. This rule detects outbound beaconing activity from infected host.

DEPENDENCIES
Lua Parsers:
* HTTP Lua
* Traffic Flow Lua
Feeds:
* NetWitness

GENERATED META KEYS
* ioc = dreambot malware
* inv.category = threat
* inv.context = malware, crimeware
packetcrimeware, featured, malware, threat
Dyzap Malwarenw22365Dyzap has the ability to steal usernames and passwords of email, banking and social media accounts. Once the malware infects a victim machine, it starts sending data to its command and control server via an HTTP POST request. This rule detects a variant seen spreading through phishing email messages.
Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2016/11/18/detecting-a-dyzap-variant-using-rsa-netwitness
The HTTP_lua and traffic_flow parser are required.
packetcrimeware, malware, threat, remote access trojans
Etc Password Get Requestnw50005Detects a get request for "/etc/passwd"log, packetaction on objectives, attack phase, data exfiltration, threat
Etc Shadow Get Requestnw50010Detects attempted get request for /etc/shadowlog, packetaction on objectives, attack phase, data exfiltration, threat
exe filetype but not exe extensionexe_filetype_but_not_exe_extensionAn executable was detected in the session but no filename with an "exe" extension was seen in the same session.packetoperations, event analysis, file analysis
File Transport over ICMPnw110025Detects files transported over ICMP.log, packetevent analysis, file analysis, operations
File Transport Over Unknown Protocolnw110030Detects files transported over unknown protocols.packetevent analysis, operations, protocol analysis
File Vault Disabledfile_vault_disabledFile vault disabled.logassurance, endpoint
Filter Adobe Updatesnw140050Filters executables associated with Adobe Updatespacketevent analysis, filters, operations
Filter Google Updatesnw140020Filters executable updates for google toolspacketevent analysis, filters, operations
Filter Intel Updatesnw140035Filters executables associated with Intel Updatespacketevent analysis, filters, operations
Filter Java Updatesnw140015Filters executables involved with java updatespacketevent analysis, filters, operations
Filter Macromedia Updatesnw140030Filters macromedia update executablespacketevent analysis, filters, operations
Filter Mcafee Updatesnw140045Filters executables associated with Mcafee updatespacketevent analysis, filters, operations
Filter Skype Updatesnw140010Filters skype update executables.packetevent analysis, filters, operations
Filter Symantec Updatesnw140025Filters Symantec Update executablespacketevent analysis, filters, operations
Filter VMWare Updatesnw140040Filters executables associated with VMWare Updatespacketevent analysis, filters, operations
Filter Windows Updatesnw140005Filters executable downloads from Windows Update.packetevent analysis, filters, operations
Firewall Disabledfirewall_disabledEndpoint firewall disabled.logendpoint, threat
High Risk File From Blacklisted Hostnw20065Executable download from a host on a blacklist feed.packetattack phase, delivery, threat
HTTP over Non-Standard Portnw60020http traffic over a port other than 80packetevent analysis, operations, protocol analysis
HttpBrowser Malwarenw22325Detects malicious outbound traffic between HttpBrowser Malware variants and command and control server. Either the HTTP_lua or HTTP native parser is required.
Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/02/10/detecting-httpbrowser-variants-using-security-analytics
packetmalware, threat, remote access trojans
IRC File Transfernw00015Rules looks for file transfers via IRCpacketevent analysis, operations, protocol analysis
KeyBase Keyloggernw22340Detects malicious outbound traffic between KeyBase Keylogger and command and control server. Either the HTTP_lua or HTTP native parser and traffic_flow parser is required.
Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2015/06/25/detecting-keybase-variants-using-security-analytics
packetkey loggers, malware, threat
Large Outbound Encrypted sessionnw110045Detects an Outbound encrypted session where the data size is greater than 5MB.packetaction on objectives, assurance, attack phase, compliance, corporate, data exfiltration, threat
Large Outbound Sessionnw110060Detects outbound session (encrypted or non-encrypted) where the data size is greater than 5MB.

DEPENDENCIES
Lua Parsers:
* traffic_flow
Feeds:
* Investigation
* Hunting

GENERATED META KEYS
*boc = large outbound data transfer
*inv.category = assurance
*inv.context = compliance, corporate
packetaction on objectives, assurance, attack phase, compliance, corporate, data exfiltration, threat
Locky Malwarenw22355Detects malicious outbound traffic between a system infected with Locky Ransomware and command and control server.

REFERENCES
Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2016/10/03/nemucod-and-locky

DEPENDENCIES
Lua Parsers
* HTTP_lua
* traffic_flow
Feeds
* NetWitness

GENERATED META KEYS
* ioc = locky malware
* inv.category = threat
* inv.context = malware, crimeware
packetcrimeware, malware, threat
LSASS Accesslsass_accessDetects suspicious access to lsass.exe through sysmon logs. This process access indicates probable credential dumping.

DEPENDENCIES
Log Parsers:
* At least one of the Windows log device parsers
Feeds:
* Investigation

GENERATED META KEYS
* ioc = lsass access
* inv.category = identity, threat
* inv.context = attack phase, action on objectives, lateral movement
logaction on objectives, attack phase, identity, lateral movement, threat
Mirage Malwarenw22305Detects malicious outbound traffic due to installation of Mirage malware. The HTTP_lua parser is a required dependency.

Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2015/11/10/detecting-mirage-variants-using-security-analytics
packetmalware, threat, remote access trojans
Named Pipe into LSASSnamed_pipe_into_lsassDetects when a suspicious Named Pipe is created or connected to target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping.

DEPENDENCIES
Log Parsers:
* At least one of the Windows log device parsers
Feeds:
* Investigation

GENERATED META KEYS
* ioc = named pipe into lsass
* inv.category = identity, threat
* inv.context = attack phase, action on objectives, lateral movement
logaction on objectives, attack phase, identity, lateral movement, threat
NetTraveler Malwarenw22345Detects malicious outbound traffic between Malware NetTraveler and command and control server. Either the HTTP_lua or HTTP native parser and traffic_flow parser is required.
Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/thread/185492
packetmalware, threat, remote access trojans
NGINX HTTP Servernw30015Detects web servers running nginx, which is often used for malicious purposes.log, packetapplication analysis, event analysis, operations
Non-Standard Port Use - DHCPnw60035Identifies dhcp traffic over a port that is not typically used for dhcppacketevent analysis, operations, protocol analysis
Non-Standard Port Use - FTPnw60015ftp over ports other than TCP 21packetevent analysis, operations, protocol analysis
Non-Standard Port Use - H323nw60095Identifies h323 traffic over a port that is not typically used for h323.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - IRCnw60110Identifies irc traffic over a port that is not typically used for irc.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - NetBiosnw60060Identifies netbios traffic over a port that is not typically used for netbios.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - NNTPnw60050Identifies nntp traffic over a port that is not typically used for nntp.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - POP3nw60045Identifies pop3 traffic over a port that is not typically used for pop3.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - RIPnw60080Identifies rip traffic over a port that is not typically used for rip.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - RPCnw60055Identifies rpc traffic over a port that is not typically used for rpc.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - RTPnw60100Identifies rto traffic over a port that is not typically used for rtp.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - SIPnw60105Identifies sip traffic over a port that is not typically used for sippacketevent analysis, operations, protocol analysis
Non-Standard Port Use - SMBnw60065Identifies smb traffic over a port that is not typically used for smb.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - SMTPnw60030Identifies smtp traffic over a port that is not typically used for smtp.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - SNMPnw60070Identifies snmp traffic over a port that is not typically used for snmp.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - SSHnw60025Identifies ssh traffic over a port that is not typically used for ssh.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - SSLnw60075Identifies ssl traffic over a port that is not typically used for ssl.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - TDSnw60085Identifies tds traffic over a port that is not typically used for tds.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - Telnetnw60010telnet over ports other than TCP 23packetevent analysis, operations, protocol analysis
Non-Standard Port Use - TFTPnw60040Identifies tftp traffic over a port that is not typically used for tftp.packetevent analysis, operations, protocol analysis
Non-Standard Port Use - TNSnw60090Identifies tns traffic over a port that is not typically used for tns.packetevent analysis, operations, protocol analysis
NTDSXTRACT Tool Downloadnw110130Detects an internal network session download of NTDSXTRACT. NTDSXTRACT is a tool framework for extracting data from the active directory database file NTDS.DIT.At least one of the network parsers supporting meta of action and filename is required,which may include HTTP, FTP, IRC and NFS.packetaction on objectives, application analysis, attack phase, data exfiltration, event analysis, operations, threat
NTP DDoS Attack 234-byte Request: Netflownw5003210.4 or higher.Detects UDP/123 traffic with a 234-byte payload over Netflow. This is indicative of an NTP request generated by a monlist command.logaction on objectives, attack phase, denial of service, threat
NTP DDoS Attack 234-byte Request: Packetsnw50022Detects UDP/123 traffic with a 234-byte payload. This is indicative of an NTP request generated by a monlist command.packetaction on objectives, attack phase, denial of service, threat
NTP DDoS Attack 50-byte Request: Netflownw5003010.4 or higher.Detects UDP/123 traffic with a 50-byte payload over Netflow. This is indicative of a potential NTP DDoS attack tool.logaction on objectives, attack phase, denial of service, threat
NTP DDoS Attack 50-byte Request: Packetsnw50020Detects UDP/123 traffic with a 50-byte payload. This is indicative of a potential NTP DDoS attack tool.packetaction on objectives, attack phase, denial of service, threat
NTP DDoS Attack 60-byte Request: Netflownw5003110.4 or higher.Detects UDP/123 traffic with a 60-byte payload over NetFlow. This is indicative of the NTP request size initiated by the ntpdos.py attack script.logaction on objectives, attack phase, denial of service, threat
NTP DDoS Attack 60-byte Request: Packetsnw50021Detects UDP/123 traffic with a 60-byte payload. This is indicative of the NTP request size initiated by the ntpdos.py attack script.packetaction on objectives, attack phase, denial of service, threat
NWFL_access:data-accessNWFL_DataAccessNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_access:privilege-escalation-failureNWFL_PrivEscalateFailNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_access:privilege-escalation-successNWFL_PrivEscalateSuccessNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_access:remote-failureNWFL_RemoteAccessFailNWFL App Rule to support Informer Reportslogassurance, audit, authentication, compliance, identity
NWFL_access:remote-successNWFL_RemoteAccessSuccessNWFL App Rule to support Informer Reportslogassurance, audit, authentication, compliance, identity
NWFL_access:user-access-revokedNWFL_UserAccessRevokeNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_account:account-disabledNWFL_AccountDisabledNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_account:auth-successNWFL_AuthSuccessNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_account:createdNWFL_AccountCreatedNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_account:deletedNWFL_AccountDeletedNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_account:group-managementNWFL_GroupMgmtNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_account:login-and-logoutNWFL_LoginLogoutNWFL App Rule to support Informer Reportslogassurance, audit, authentication, compliance, identity
NWFL_account:logon-failureNWFL_LoginFailureNWFL App Rule to support Informer Reportslogassurance, audit, authentication, compliance, identity
NWFL_account:logon-successNWFL_LoginSuccessNWFL App Rule to support Informer Reportslogassurance, audit, authentication, compliance, identity
NWFL_account:logon-success-direct-accessNWFL_LoginDirectAccessSuccessNWFL App Rule to support Informer Reportslogassurance, audit, authentication, compliance, identity
NWFL_account:logoutNWFL_LogoutNWFL App Rule to support Informer Reportslogassurance, audit, authentication, compliance, identity
NWFL_account:modifiedNWFL_AccountModifiedNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_account:password-changeNWFL_PasswordChangeNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_account:user-accessing-file-serversNWFL_UserAccessFilesrvNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_alm:cardholder-dataNWFL_AccessCardholderDataNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_alm:error-event-typesNWFL_ErrorEventTypesNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_alm:firmware-config-changesNWFL_FirmwareConfigChangeNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_alm:inbound-network-trafficNWFL_InboundTrafficNWFL App Rule to support Informer Reportslogassurance, audit, compliance, event analysis, flow analysis, operations
NWFL_alm:outbound-network-trafficNWFL_OutboundTrafficNWFL App Rule to support Informer Reportslogassurance, audit, compliance, event analysis, flow analysis, operations
NWFL_alm:system-clock-synchNWFL_ClockSynchNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_av:signature-updateNWFL_AVSignatureUpdateNWFL App Rule to support Informer Reportslogassurance, audit, compliance, risk, vulnerability management
NWFL_av:virus-summaryNWFL_AVSummaryNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_config:change-audit-settingNWFL_AuditSettingChangeNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_config:config-changesNWFL_ConfigChangesNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_config:fw-config-changesNWFL_FirewallConfigChangeNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_config:router-changeNWFL_RouterConfigChangeNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_encryption:failuresNWFL_EncryptFailuresNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_encryption:key-gen-and-changesNWFL_EncryptKeyGenChangesNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_encryption:successNWFL_EncryptSuccessNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_fw:categoriesNWFL_FirewallRuleCatNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_fw:inbound-network-trafficNWFL_FWInboundTrafficNWFL App Rule to support Informer Reportslogassurance, audit, compliance, event analysis, flow analysis, operations
NWFL_fw:outbound-network-trafficNWFL_FWOutboundTrafficNWFL App Rule to support Informer Reportslogassurance, audit, compliance, event analysis, flow analysis, operations
NWFL_fw:url-blockNWFL_URLBlockNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_fw:url-filetypesNWFL_URLFiletypesNWFL App Rule to support Informer Reportslogassurance, audit, compliance, event analysis, file analysis, operations
NWFL_host:windows:account-disabledNWFL_WinAcctDisabledNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_host:windows:file-accessNWFL_WinFileAccessNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_host:windows:local-group-account-changesNWFL_WinLocalGrpChangeNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_host:windows:user-group-account-changesNWFL_WinUsrGroupChangeNWFL App Rule to support Informer Reportslogassurance, audit, authorization, compliance, identity
NWFL_intrusion:all-activityNWFL_IntrusionAllActivityNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_ops:mailserver-errorsNWFL_MailserverErrorsNWFL App Rule to support Informer Reportslogassurance, audit, compliance
NWFL_wireless:AdminOperationsNWFL_WirelessAdminOpsNWFL App Rule to support Informer Reportslogassurance, audit, compliance
Only ACK Flag Set in Session Containing Payloadnw30005Alerts when sessions containing payload have only ACK flag set.packetevent analysis, operations, protocol analysis
Outbound MS Outlook PFF filenw110085Detects outbound MS Outlook PFFs (Personal Folder Files). It does not differentiate between type of PFF (e.g.: .pst, .ost, .pab).NOTE: This depends on the Lua parser - fingerprint_pff.lua - for detecting PFF filetype. This parser needs to be enabled in order for this rule to work.log, packetaction on objectives, attack phase, data exfiltration, threat
Outbound Session Greater Than 1GBoutbound_session_greater_than_1gbDetects and generates meta after a session with a high percentage of payload transmitted outbound reaches 1GB, 2GB and 3GB.

VERSIONS SUPPORTED
* 10.5 and higher

CONFIGURATION
By default, the Decoders capture buffer size is 32MB. If you have modified this setting, then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the NetWitness Suite UI > Administration > Services > Explore > decoder > config > capture.buffer.size.

DEPENDENCIES
Lua Parsers:
* traffic_flow
* session_analysis

GENERATED META KEYS
* boc = outbound session greater than 1gb
packetaction on objectives, attack phase, data exfiltration, threat
Outbound Session Greater Than 500MBoutbound_session_greater_than_500mbDetects and generates meta after a session with a high percentage of payload transmitted outbound reaches 500MB.

VERSIONS SUPPORTED
* 10.5 and higher

CONFIGURATION
By default, the Decoders capture buffer size is 32MB. If you have modified this setting, then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the NetWitness Suite UI > Administration > Services > Explore > decoder > config > capture.buffer.size.

DEPENDENCIES
Lua Parsers:
* traffic_flow
* session_analysis

GENERATED META KEYS
* boc = outbound session greater than 500mb
packetaction on objectives, attack phase, data exfiltration, threat
Pass the Hashpass_the_hashIndicates a possible pass-the-hash attack on a Windows system configured to use the NTLM authentication protocol. The rule reduces false positives by excluding anonymous logons, domain controller and machine logons and those that are not local accounts. It is recommended to exclude the domain for which the domain controller is responsible within the rule logic, since an attacker would typically not have this information and it could increase rule accuracy.

CONFIGURATION
Customize this rule to exclude your domain from matching. To do this, modify the expression within the rule, domain.all != 'yourdomain.com'. Replace 'yourdomain.com' with the domain(s) you wish to exclude.

DEPENDENCIES
Log Parsers:
* At least one of the Windows log device parsers

Feeds:
* Investigation

GENERATED META KEYS
* ioc = pass the hash
* inv.category = identity, threat
* inv.context = attack phase, action on objectives, authentication, lateral movement
logaction on objectives, attack phase, authentication, identity, lateral movement, threat
Passwords over FTPnw120010Identifies plaintext FTP loginspacketassurance, audit, compliance, corporate, organizational hazard
Passwords over HTTPnw120005Identifies plaintext HTTP loginspacketassurance, audit, compliance, corporate, organizational hazard, risk
Passwords Over Other Protocolsnw120030Identifies plaintext logins with an unidentified service type.packetassurance, audit, compliance, corporate, organizational hazard
Passwords Over Pop3nw120020Identifies plaintext pop3 loginspacketassurance, audit, compliance, corporate, organizational hazard
Passwords Over SMTPnw120025Identifies plaintext SMTP loginspacketassurance, audit, compliance, corporate, organizational hazard
Passwords Over Telnetnw120015Identifies plaintext telnet loginspacketassurance, audit, compliance, corporate, organizational hazard
php botnet beaconing wnw02635detects botnet beaconing with w=188 in the query string.packetattack phase, command and control, threat
php ini checkinnw02645Detects botnet traffic that uses PHP and .ini files for checkin traffic.log, packetattack phase, command and control, threat
php put to wordpress plugin dirnw02580Detects PHP puts to WordPress plugin directoires. This behavior has been observed by RSA-FirstWatch as potential malware traffic.log, packetattack phase, command and control, threat
php put with 40x errornw02575Detects PHP puts that create 4 series errors. This may indicate suspicoius or botnet check-in traffic.packetattack phase, command and control, threat
Proxy Anonymous Servicesnw110065Detects use of common proxy services using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.log, packetassurance, compliance, corporate, organizational hazard, risk
Proxy Client Downloadnw110070Detects proxy client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required.log, packetapplication analysis, assurance, compliance, corporate, event analysis, operations, organizational hazard, risk
qq download clientnw02615detects download of the QQ chinese instant messaging client.log, packetassurance, organizational hazard, risk
RDP over Non-Standard Portnw110050Detects an RDP session over a non-standard port.packetevent analysis, operations, protocol analysis
Remote Control Client Websitenw110075Detects use of common remote client download sites. It uses a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.log, packetassurance, compliance, corporate, organizational hazard, risk
Remote Thread into LSASSremote_thread_into_lsassDetects when a process creates remote thread into target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping.

DEPENDENCIES
Log Parsers:
* At least one of the Windows log device parsers
Feeds:
* Investigation

GENERATED META KEYS
* ioc = remote thread into lsass
* inv.category = identity, threat
* inv.context = attack phase, action on objectives, lateral movement
logaction on objectives, attack phase, identity, lateral movement, threat
RIG Exploit Kitnw22370RIG exploit kit is suspected in the compromise of a vulnerable website due to patterns found within the query string.

DEPENDENCIES
Lua Parsers:
* HTTP Lua
* Traffic Flow Lua
Event Sources:
* Web proxy and security products such as Cisco WSA and SQUID
Feeds:
* NetWitness

GENERATED META KEYS
* ioc = rig exploit kit
* inv.category = threat
* inv.context = attack phase, exploit, malware
log, packetattack phase, exploit, featured, malware, threat
Rogue DHCP Server Detected - Packetsnw00040Detects web traffic involving UDP/67 or 68 that is not a legitimate DHCP server. Note: Users must add legitimate DHCP servers to the RogueDHCPServerDetected feed.packetassurance, organizational hazard, risk
SchoolBell Malwarenw22360The SchoolBell rule detects malware associated with ShellCrew's large scale infrastructure harvesting campaign. SchoolBell targets Windows servers running vulnerable versions of Java web containers such as JBoss and Jenkins. The associated SchoolBell rule can be used to detect the malware's callbacks from an infected host.

Both the HTTP_lua and traffic_flow parsers are required.
packetcrimeware, malware, threat
ScribD Document Uploadnw110015Detects document uploads to the site ScribD.log, packetapplication analysis, assurance, compliance, corporate, event analysis, operations, organizational hazard, risk
Shadow IT: File Sharing Appsnw110150Detects file sharing application usage for Box, Dropbox, Github and iCloud for potential shadow IT use.log, packetapplication analysis, assurance, audit, compliance, event analysis, operations, organizational hazard, risk
Shadow IT: Voice Chat Appsnw30050Detects some voice and chat applications (e.g. Vonage, VOIPStudio, tinychat, and Yahoo Messenger) usage for potential shadow IT use.log, packetapplication analysis, assurance, audit, compliance, event analysis, operations, organizational hazard, risk
Small Executablenw20110Forensic executable detection with a small session size.packetevent analysis, file analysis, operations
Small Executable Extension Mismatchnw20095Indicates a forensic executable detection with a file extension that is not .exe.packetattack phase, delivery, event analysis, file analysis, operations, threat
Small Executable No Directorynw20100Indicates a forensic executable detection with no corresponding directory information.packetattack phase, delivery, event analysis, file analysis, operations, threat
Small Executable No Hostnw20090Indicates a forensic executable detection with a small session size and no corresponding alias.host information.packetattack phase, delivery, event analysis, file analysis, operations, threat
Small Executable Root Directorynw20105Forensic executable detection from the root directory of a host.packetattack phase, delivery, event analysis, file analysis, operations, threat
Spectrum Consume 1.1 App Rulespectrum_consume11Application rule required for office document/pdf consumptionpacketmalware analysis, spectrum
spectrum_consume.nwrspectrum_consumeHelper Rule for Spectrumpacketmalware analysis, spectrum
ssh to externalssh_internal_to_externalDetects when an internal IP address initiates an SSH connection to an external IP address.An SSH connection is identified by the following service=22. An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external.packetevent analysis, operations, protocol analysis
Stealth Email Usenw110105Detects a user sign-up or sign-in event for the following stealth mail services: Stealth Email: Referer of either http://www.spytech-web.com/stealth-email-buy.shtml or http://www.stealth-email.com:2095/login/ or http://stealth-email.com/, Hush Mail: Any traffic with an IP destination of 65.39.178.58 or organization destination of "Peer 1 Network (USA)", Neomailbox: Any traffic to alias host www.neomailbox.com, Cryptoheaven: Any traffic to alias host www.cryptoheaven.com, S-mail: Any traffic to alias host mail.s-mail.comlog, packetassurance, compliance, corporate, organizational hazard, risk
Stealth Email Use Large Sessionnw110095Detects a session larger than 1 MB to the following stealth mail services: Stealth Email: Alias host www.stealth-email.com, Hush Mail: With an IP destination of 65.39.178.58 or organization destination of "Peer 1 Network (USA)", Neomailbox: Alias host www.neomailbox.com, Cryptoheaven: Alias host www.cryptoheaven.com, S-mail: Alias host mail.s-mail.compacketassurance, compliance, corporate, organizational hazard, risk
strings decode downloadnw02565Detects malware that uses "strings.txt" for command and control instructionslog, packetattack phase, command and control, threat
suspicious long filename get requestnw02625Detects get requests that include extremely long flienames, which is often a tactic used malware to encode information.packetattack phase, command and control, threat
suspicious php put long querynw02585Detects puts to PHP pages that include extremly long query strings. This behavior is often indicative of botnet or malware encoded check-in trafficlog, packetattack phase, command and control, threat
suspicious PHP url-encoded putnw02620Detects PHP Puts that included URL-encoded datapacketattack phase, command and control, threat
Taidoor Malwarenw22335Detects malicious outbound traffic between Malware Taidoor and command and control server. Either the HTTP_lua or HTTP native parser and traffic_flow parser is required.
Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/thread/185493
packetmalware, threat, remote access trojans
tdss_rootkit_variant_beaconingapp000002Detects the beaconing activity of the TDSS Rootkit botnet.log, packetattack phase, command and control, malware, remote access trojans, threat
Tendrit Malwarenw22320Detects malicious outbound traffic between backdoor/malware Tendrit variants and command and control server. Either the HTTP_lua or HTTP native parser is required.
Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/05/09/detecting-tendrit-variants-using-security-analytics
packetmalware, threat, remote access trojans
Tor Outboundnw00035Detects an encrypted network sessions as well as log sessions to an external (non RFC-1918) IP destination that shows at least one indicator of using the Tor protocol for anonymous data access. The possible indicators of Tor are: Communication over a common Tor destination port of 9001, 9030, 9101, 9003, 9050, 9051 or communication with a known Tor tunnel node.

DEPENDENCIES
Packets:
Lua Parsers:
* traffic_flow
* TLS_lua
Feeds:
* Tor Exit Nodes
* Investigation

Logs:
Lua Parsers:
* traffic_flow
Feeds:
* Tor Exit Nodes
* Investigation
Log Parsers:
* Atleast one parser with device.class='Firewall' or device.type='rsaflow'

GENERATED META KEYS
* analysis.session= tunneling outbound tor
* inv.category = assurance
* inv.context = compliance, corporate, organizational hazard, risk
log, packetassurance, compliance, corporate, organizational hazard, risk
Torrent File Downloadnw70010Detects the download of a .torrent file.log, packetassurance, compliance, corporate, event analysis, file analysis, operations
Trojan BLTnw22300Detects malicious outbound traffic due to installation of Trojan BLT variants. Either the HTTP_lua or HTTP native parser is required.

Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/12/04/detecting-trojanblt-variants-using-security-analytics
packetmalware, threat, remote access trojans
tsone dorkbot beaconingapp000003Detects hosts infected with the TSONE Dorkbot.packetattack phase, command and control, malware, remote access trojans, threat
Unknown Service Over DNS Portnw60115Detects an unidentified service over a port typically used for dns traffic.packetevent analysis, operations, protocol analysis
Unknown Service Over FTP Portnw60120Detects an unidentified service over a port typically used for ftp traffic.packetevent analysis, operations, protocol analysis
Unknown Service Over HTTP Portnw60125Detects an unidentified service over a port typically used for http traffic.packetevent analysis, operations, protocol analysis
Unknown Service Over IRC Portnw60145Detects an unidentified service over a port typically used for irc traffic.packetevent analysis, operations, protocol analysis
Unknown Service Over NNTP Portnw60150Detects an unidentified service over a port typically used for nntp traffic.packetevent analysis, operations, protocol analysis
Unknown Service Over POP3 Portnw60140Detects an unidentified service over a port typically used for pop3 traffic.packetevent analysis, operations, protocol analysis
Unknown Service Over SMB Portnw60155Detects an unidentified service over a port typically used for smb traffic.packetevent analysis, operations, protocol analysis
Unknown Service Over SMTP Portnw60135Detects an unidentified service over a port typically used for smtp traffic.packetevent analysis, operations, protocol analysis
Unknown Service Over SSL Portnw60165Detects an unidentified service over a port typically used for ssl traffic.packetevent analysis, operations, protocol analysis
Unknown Service Over Telnet Portnw60130Detects an unidentified service over a port typically used for telnet traffic.packetevent analysis, operations, protocol analysis
Unusual Port Utilized by Domain Controllernw00045Detects a domain controller or directory server engaged in port activity that is outside the expected ports.For Active Directory port requirements, see the following Microsoft Windows Server article: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx.Note: This rule must be modified to include the IP address of the local Domain Controller or Directory Server.packetassurance, event analysis, operations, organizational hazard, protocol analysis, risk
Web Access: Pastebinnw110040Detects the existence of "pastebin.com or post.php" in a URL string. Pastebin is a very common site for quickly distributing sensitive data, posting and retrieving malicious and benign code snippets, and is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns as well as focused attacks against servers hosting the data.log, packetassurance, compliance, corporate
Web Access: Rghostnw110035Detects the existence of "rghost.net" in a URL string.Rghost is a very common site for quickly distributing sensitive data and posting and retrieving malicious ( as well as benign) code snippets.It is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns, as well as focused attacks against servers hosting the data.Additionally, it is a large online repository for searchable malware executableslog, packetassurance, compliance, corporate
Windows Credential Harvesting Servicesnw05415This rule applies to windows services being installed that are known to be used for pass the hash and brute force attacks. These may include psexec, wce, pwdump, cachedump, gsecdump.logaction on objectives, assurance, attack phase, lateral movement, organizational hazard, risk, threat
Windows NTLM Network Logon Successfulnw30060Indicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol. The rule reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $. It is recommended to exclude the domain that the Domain Controller is responsible within the rule logic.logaction on objectives, attack phase, authentication, identity, lateral movement, threat
Previous Topic:Rules
Next Topic:RSA ESA Rules
You are here
Table of Contents > RSA NetWitness Platform Content > Rules > RSA Application Rules

Attachments

    Outcomes