The following table lists all of the delivered RSA Application Rules.

For syntax and examples for application rules, see Application Rules Cheat Sheet.

Note: For content that has been discontinued, see Discontinued Content.

If you want to view only Endpoint application rules, click here: RSA Application Rules for Endpoint.

Display Name	File Name	Description	Medium	Tag
Accesses Administrative Share Using Command Shell	accesses_administrative_share_using_command_shell	Accessing administrative share using command shell can be an indicator of someone trying for lateral movement or privilege escalation by using hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. This rule is supported for Windows 8 and higher versions. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = accesses administrative share using command shell	endpoint
Activates BITS Job	activates_bits_job	Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = activates bits job	endpoint
Adds Files To BITS Download Job	adds_files_to_bits_download_job	Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = adds files to bits download job	endpoint
Adds Firewall Rule	adds_firewall_rule	Adding firewall rule can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = adds firewall rule	endpoint
Allocates Remote Memory	allocates_remote_memory	In Mac, a process not signed by Apple has allocated memory in another process. Most allocations will only occur within the same process and by processes signed by Apple. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = allocates remote memory	endpoint
Antivirus Disabled	antivirus_disabled	Disabling antivirus can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = antivirus disabled	endpoint
Archive Extension Mismatch	nw20080	Creates meta when an archive file is detected without an archive file extension. VERSIONS SUPPORTED * 10.5 and higher DEPENDENCIES Lua Parsers: * fingerprint_zip * fingerprint_gzip * fingerprint_7zip * fingerprint_rar_lua Feeds: * investigation GENERATED META KEYS * alert.id = 'nw20080' * analysis.session = 'archive extension mismatch'	packet	event analysis, file analysis, operations
Archive From IP Address	nw20085	archive directly from an ip address with no corresponding alias.host meta. Often indicative of a second stage tool download after a foothold has been established.	packet	attack phase, delivery, threat
Archiving Software Reads Multiple Documents	archiving_software_reads_multiple_documents	Multiple documents read could be an indication of someone creating a large archive. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = archiving software reads multiple documents	endpoint
Attachment Overload	nw00005	Rule looks for more than 4 attachments in a single session.	packet	event analysis, file analysis, operations
Autorun	autorun	Indicates applications or commands that are configured to run on system startup. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun	endpoint
Autorun File Path Not Part Of RPM	autorun_file_path_not_part_of_rpm	Installation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun file path not part of rpm	endpoint
Autorun Key Contains Non-Printable Characters	autorun_key_contains_non-printable_characters	Autorun key containing non-printable characters an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = autorun key contains non-printable characters	endpoint
Autorun RPM Mismatch	autorun_rpm_mismatch	A hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate.	endpoint
Autorun Unsigned Active Setup	autorun_unsigned_active_setup	Active Setup is a mechanism for executing commands once per user early during login and executed by explorer.exe. To ensure persistence across reboots and log-offs attackers use active setup which is even more suspicious when it is unsigned. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned active setup	endpoint
Autorun Unsigned AppInit_DLLs	autorun_unsigned_appinit_dlls	Unsigned Autorun AppInit_DLLs can be an indiaction of attacker trying to abused registry key values for DLLs to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned appinit_dlls	endpoint
Autorun Unsigned BHO	autorun_unsigned_bho	BHOs can be used to monitor user browsing habits and deliver targeted advertising as well as steal information. BHOs Unsigned and configured to run on system startup are used for persistence and are suspicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned bho	endpoint
Autorun Unsigned BootExecute Registry Startup Method	autorun_unsigned_bootexecute_registry_startup_method	Unsigned Autorun BootExecute registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned bootexecute registry startup method	endpoint
Autorun Unsigned Explorer Registry Startup Method	autorun_unsigned_explorer_registry_startup_method	Unsigned Autorun explorer registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned explorer registry startup method	endpoint
Autorun Unsigned Hidden	autorun_unsigned_hidden	Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evasion. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned hidden	endpoint
Autorun Unsigned IE Toolbar	autorun_unsigned_ie_toolbar	Toolbar can be spyware or adware which can breach privacy and steal data through browsers. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned ie toolbar	endpoint
Autorun Unsigned In AppDataLocal Directory	autorun_unsigned_in_appdatalocal_directory	This rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of AppData/Local/Temp on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned in appdatalocal directory	endpoint
Autorun Unsigned In AppDataRoaming Directory	autorun_unsigned_in_appdataroaming_directory	This rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of AppData/Roaming on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned in appdataroaming directory	endpoint
Autorun Unsigned In ProgramData Directory	autorun_unsigned_in_programdata_directory	This rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of ProgramData directory on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned in programdata directory	endpoint
Autorun Unsigned In Temp Directory	autorun_unsigned_in_temp_directory	This rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of Temp directory on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned in temp directory	endpoint
Autorun Unsigned LogonType Registry Startup Method	autorun_unsigned_logontype_registry_startup_method	Unsigned Autorun LogonType registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned logontype registry startup method	endpoint
Autorun Unsigned LSA Provider	autorun_unsigned_lsa_provider	Windows Authentication Package (AP) DLLs are loaded by the Local Security Authority (LSA) process at system start. Attackers can introduce their own APs to control logon processes and security protocols to OS. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned lsa provider	endpoint
Autorun Unsigned ServiceDLL	autorun_unsigned_servicedll	To evade defense, DLLs can be run as a service. This technique is used by attackers to hide the malware. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned servicedll	endpoint
Autorun Unsigned Winsock LSP	autorun_unsigned_winsock_lsp	Winsock LSP is a DLL that is loaded when a process uses Winsock API, it allows us to inject our code between the user network calls and the Winsock API, thus allowing attacker to inspect, modify, or block those network calls. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = autorun unsigned winsock lsp	endpoint
Bad Certificate Warning Disabled	bad_certificate_warning_disabled	Disabling bad certificate warning can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = bad certificate warning disabled	endpoint
Blacklisted File	blacklisted_file	An analyst may mark files as blacklisted within NetWitness Endpoint. If actions on an endpoint involve those blacklisted files as the source, then this rule will trigger. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = blacklisted file	endpoint
Bozok RAT Acquisition	nw90001	Detects web traffic from an internal IP address to the following URL: http://ss-rat.blogspot.com.	log, packet	malware, remote access trojans, threat
Browser Runs Mshta	browser_runs_mshta	Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for a browser to run Mshta. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = browser runs mshta	endpoint
Browser Runs Powershell	browser_runs_powershell	Browser running powershell can be an indication of someone trying to run web based malicious commands using browsers to compromise the system or the user, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = browser runs powershell	endpoint
Builds Script Incrementally	builds_script_incrementally	Building script incrementally can be an indication of attacker trying to execute serias of commands using script, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = builds script incrementally	endpoint
BYOD Mobile Web Agent Detected	nw110125	Detects use of a web browsing agent for a mobile device. The following is the list of strings looked for within the "client" meta key to indicate mobile browsing: "iPad", "iPhone", "iPod", "Android", "BlackBerry", "Mobile", "Opera Mobi", "Opera Mini", "Symbian", "GoBrowser", "Minimo", "Netfront", "Skyfire", "SEMC-Browser".	log, packet	assurance, compliance, corporate
Cerber Ransomware	nw22350	Detects a set of pay-site hosts for Cerber ransomware that correlate to embedded configuration files for the malware's set up of bitcoin wallets for each victim. This rule matches when the 'alias.host' (packet) or 'fqdn' (web logs) begins with one of the identified pay-sites. Reference these RSA Link blog posts from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/09/27/the-evolution-of-cerber https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410 Dependencies: - (Packet) HTTP_lua parser - (Logs) At least one web log event source - September 2016 or later release. Prior to 10.6.2, the Envision Config File from Live for the FQDN meta key configuration. Meta Keys: - Risk Warning = cerber ransomware - Indicators of Compromise = cerber ransomware	log, packet	featured, crimeware, malware, threat
Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow	nw125025	Customers who deploy either Cisco IPS or SourceFire Defense Center may benefit from this log-based Application Rule written to detect indicators to CVE-2016-1287: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow. SourceFire signature IDs utilized to detect this vulnerability are '1:36903' and '1:37674' while Cisco IPS signature IDs are 7169-0 and 7169-1.	log	attack phase, exploit, threat
Clears Security Event Log	clears_security_event_log	Clearing security event log can be a strong indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = clears security event log	endpoint
Clears System Event Log	clears_system_event_log	Clearing security system log can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = clears system event log	endpoint
Cmstar Malware	nw22310	Detects malicious traffic between command and control server and custom downloader cmstart variants. Either the HTTP_lua or HTTP native parser is required. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/09/30/detecting-cmstar-variants-using-security-analytics	packet	malware, threat, remote access trojans
Combines Binaries Using Command Prompt	combines_binaries_using_command_prompt	Chaining binaries using command prompt can be an indication of someone trying to run multiple malicious commands needed to perform multi-stage attack to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = combines binaries using command prompt	endpoint
Command Line Usage Of Archiving Software	command_line_usage_of_archiving_software	Use of the command line to create archive files demonstrates more advanced use of the tools and is atypical. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = command line usage of archiving software	endpoint
Completes BITS Download Job	completes_bits_download_job	Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = completes bits download job	endpoint
Configures Image Hijacking	configures_image_hijacking	Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. Value of the debugger process can be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and by continuous invocation. Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = configures image hijacking	endpoint
Configures Port Redirection	configures_port_redirection	Configuring port redirection can be indication of adversaries can be using connection to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = configures port redirection	endpoint
Copies Binary Over Administrative Share	copies_binary_over_administrative_share	Administrative shares once compromised could be used to distribute malware. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = copies binary over administrative share	endpoint
Created In Last Month	created_in_last_month	Files created in the last month may be reviewed for malicious intent. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = created in last month	endpoint
Creates Browser Extension	creates_browser_extension	Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. Malicious extensions once installed can browse to websites in the background, steal all information that a user enters into a browser and be used as an installer for a RAT for persistence.	endpoint
Creates Domain User Account	creates_domain_user_account	Creating domain user account can be an indication of adversaries with a sufficient level of access creating a domain user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates domain user account	endpoint
Creates Executable In Startup Directory	creates_executable_in_startup_directory	Creating executable in startup directory can an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = creates executable in startup directory	endpoint
Creates Local Driver Service	creates_local_driver_service	Creating local driver service can be an indication of someone trying to maintain a persistent access on the system using driver services which can execute under SYSTEM privileges, modify the registry and create back VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates local driver service	endpoint
Creates Local Service	creates_local_service	Creating local service can be an indication of someone trying to maintain a persistent presence on the system using local services which can modify the registry, escalate privileges and create backdoor. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = creates local service	endpoint
Creates Local Task	creates_local_task	Creating local task can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = creates local task	endpoint
Creates Local User Account	creates_local_user_account	Creating local user account can be an indication of adversaries with a sufficient level of access creating a local user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = creates local user account	endpoint
Creates Password-Protected Archive	creates_password-protected_archive	Password-protected archive files can be used to exfiltrate sensitive data since contents cannot be examined. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = creates password-protected archive	endpoint
Creates Recursive Archive	creates_recursive_archive	Creating a recursive archive could be an attempt to exfiltrate many files at once. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = creates recursive archive	endpoint
Creates Remote Process Using WMI Command-Line Tool	creates_remote_process_using_wmi_command-line_tool	Creating remote process using WMI command-line tool can be an indication of someone trying to use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for discovery and remote execution of files as part of Lateral Movement. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates remote process using wmi command-line tool	endpoint
Creates Remote Service	creates_remote_service	Creating remote service can be an indication of someone trying to maintain a persistent presence on the system using remote services which can modify the registry, escalate privileges and create backdoor. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates remote service	endpoint
Creates Remote Task	creates_remote_task	Creating remote task can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates remote task	endpoint
Creates Shadow Volume For Logical Drive	creates_shadow_volume_for_logical_drive	Creating shadow volume for logical drive can be indication of someone trying to dump credentials using shadow backup copies of systems to be able to Creates remote taskCreates remote taskgain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates shadow volume for logical drive	endpoint
Creates Suspicious Service Running Command Prompt	creates_suspicious_service_running_command_prompt	Creates suspicious service running command prompt can be an indication of someone trying to create and run malicious services to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = creates suspicious service running command prompt	endpoint
CryptoShield Ransomware	nw22380	CryptoShield ransomware is being distributed through sites that have been compromised so that when a visitor goes to the site, they will encounter the attack chain. Once the ransomware is executed on the victim's computer, it will generate a unique ID for the victim and an encryption key. This rule detects the upload of this key to the command and control server. DEPENDENCIES Lua Parsers: * HTTP_lua * Form_Data_lua * traffic_flow Feeds: * NetWitness GENERATED META KEYS * ioc = cryptoshield ransomware * inv.category = threat * inv.context = malware, crimeware	packet	crimeware, malware, threat
Cybergate RAT Download	nw110145	Detects an internal network session download of the CyberGate RAT.A network parser that supports population of meta keys of "action" and "filename" is required.Examples of such network parsers are HTTP, FTP, IRC and NFS.	packet	malware, remote access trojans, threat
Daserf Malware	nw22315	Detects malicious inbound and outbound traffic between backdoor/malware Daserf variants and command and control server domain over HTTP. The HTTP_lua parser is a required dependency. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/09/28/detecting-daserf-variants-using-security-analytics	packet	malware, threat, remote access trojans
Deletes Backup Catalog	deletes_backup_catalog	Deleting backup catalog can be an indication of someone is trying to remove files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = deletes backup catalog	endpoint
Deletes Firewall Rule	deletes_firewall_rule	Deleting firewall rule can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = deletes firewall rule	endpoint
Deletes Shadow Volume Copies	deletes_shadow_volume_copies	Deleting shadow volume copies can be an indication of someone is trying to removefiles over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = deletes shadow volume copies	endpoint
Deletes USN Change Journal	deletes_usn_change_journal	Deleting USN change journal can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = deletes usn change journal	endpoint
Disables Firewall	disables_firewall	Disabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = disables firewall	endpoint
Disables Security Service	disables_security_service	Disabling security service can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = disables security service	endpoint
Disables Startup Repair	disables_startup_repair	Disabling startup repair can be an indication of someone is trying to remove files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = disables startup repair	endpoint
Disables UAC	disables_uac	Event viewer executing uncommon binary can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = disables uac	endpoint
Disables UAC Remote Restrictions	disables_uac_remote_restrictions	Disabling UAC remote restrictions can be an attempt to bypass Windows User Account Control (UAC). Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = disables uac remote restrictions	endpoint
Disables Windows Defender Using Powershell	disables_windows_defender_using_powershell	Disabling windows defender using powershell can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = disables windows defender using powershell	endpoint
DNS Hostnames Resolving Non-Routable IP	nw30010	DNS names that resolve to non-routable IP address. Often used on parked domains.	packet	event analysis, operations, protocol analysis
DNS Over Non-Standard Port	nw60005	DNS traffic over ports other than udp 53	packet	event analysis, operations, protocol analysis
Downloads Binary Using Certutil	downloads_binary_using_certutil	Windows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Downloading binary using certutil can be an indication of someone trying to download malicious code to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = downloads binary using certutil	endpoint
Dreambot Malware	nw22375	The Dreambot is a banking trojan spreading via exploit kits and spam e-mails with tor communication and peer-to-peer functionality. This rule detects outbound beaconing activity from infected host. DEPENDENCIES Lua Parsers: * HTTP Lua * Traffic Flow Lua Feeds: * NetWitness GENERATED META KEYS * ioc = dreambot malware * inv.category = threat * inv.context = malware, crimeware	packet	crimeware, featured, malware, threat
Drops Credential Dumping Tools	drops_credential_dumping_tools	Dropping credential dumping tools can be indication of someone trying to bypass all credentials checks to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = drops credential dumping library	endpoint
Dumps DNS Cache	dumps_dns_cache	Dumping DNS cache can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = dumps dns cache	endpoint
Dyld Inserted	dyld_inserted	macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = dyld inserted	endpoint
Dyzap Malware	nw22365	Dyzap has the ability to steal usernames and passwords of email, banking and social media accounts. Once the malware infects a victim machine, it starts sending data to its command and control server via an HTTP POST request. This rule detects a variant seen spreading through phishing email messages. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/11/18/detecting-a-dyzap-variant-using-rsa-netwitness The HTTP_lua and traffic_flow parser are required.	packet	crimeware, malware, threat, remote access trojans
Enables Cleartext Credential Storage	enables_cleartext_credential_storage	Enabling cleartext credential storage can be indication of someone trying to exploit these credentials to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = enables cleartext credential storage	endpoint
Enables Login Bypass	enables_login_bypass	Accessibility features that may be launched with a key combination before a user has logged in . Enabling login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = enables login bypass	endpoint
Enables RDP From Command-Line	enables_rdp_from_command-line	Enabling RDP from command-line can be indication of adversaries trying to connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence or perform RDP session hijacking which involves stealing a legitimate user's remote session. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enables rdp from command-line	endpoint
Enumerates ARP Table	enumerates_arp_table	Enumeration of ARP table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates arp table	endpoint
Enumerates Available Systems On Network	enumerates_available_systems_on_network	Enumeration of available systems on network can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates available systems on network	endpoint
Enumerates Domain Account Policy	enumerates_domain_account_policy	Enumeration of domain account policy can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates domain account policy	endpoint
Enumerates Domain Administrators	enumerates_domain_administrators	Enumeration of domain administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates domain administrators	endpoint
Enumerates Domain Computers	enumerates_domain_computers	Enumeration of domain computers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates domain computers	endpoint
Enumerates Domain Controllers	enumerates_domain_controllers	Enumeration of domain controllers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates domain controllers	endpoint
Enumerates Domain Groups	enumerates_domain_groups	Enumeration of domain groups can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates domain groups	endpoint
Enumerates Domain Users	enumerates_domain_users	Enumeration of domain users can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates domain users	endpoint
Enumerates Enterprise Administrators	enumerates_enterprise_administrators	Enumeration of enterprise administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates enterprise administrators	endpoint
Enumerates Exchange Domain Servers	enumerates_exchange_domain_servers	Enumeration of exchange domain servers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates exchange domain servers	endpoint
Enumerates Exchange Servers	enumerates_exchange_servers	Enumeration of exchange servers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates exchange servers	endpoint
Enumerates IP Configuration	enumerates_ip_configuration	Enumeration of IP configuration can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates ip configuration	endpoint
Enumerates Local Account Policy	enumerates_local_account_policy	Enumeration of local account policy can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates local account policy	endpoint
Enumerates Local Administrators	enumerates_local_administrators	Enumeration of local administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates local administrators	endpoint
Enumerates Local Administrators On Domain Controller	enumerates_local_administrators_on_domain_controller	Enumeration of local administrators on domain controller can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates local administrators on domain controller	endpoint
Enumerates Local Groups	enumerates_local_groups	Enumeration of local groups can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates local groups	endpoint
Enumerates Local Services	enumerates_local_services	Enumeration of local services can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates local services	endpoint
Enumerates Local Users	enumerates_local_users	Enumeration of local users can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates local users	endpoint
Enumerates Logical Disk	enumerates_logical_disk	Enumeration of logical disk can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates logical disk	endpoint
Enumerates Mapped Resources	enumerates_mapped_resources	Enumeration of mapped resources can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates mapped resources	endpoint
Enumerates Network Connections	enumerates_network_connections	Enumeration of network connections can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates network connections	endpoint
Enumerates Primary Domain Controller	enumerates_primary_domain_controller	Enumeration of primary domain controller can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates primary domain controller	endpoint
Enumerates Processes On Local System	enumerates_processes_on_local_system	Enumeration of processes on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates processes on local system	endpoint
Enumerates Processes On Remote System	enumerates_processes_on_remote_system	Enumeration of processes on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates processes on remote system	endpoint
Enumerates Remote Netbios Name Table	enumerates_remote_netbios_name_table	Enumeration of remote netbios name table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates remote netbios name table	endpoint
Enumerates Remote Resources	enumerates_remote_resources	Enumeration of remote resources can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates remote resources	endpoint
Enumerates Route Table	enumerates_route_table	Enumeration of routing table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates route table	endpoint
Enumerates Services Hosted In Processes	enumerates_services_hosted_in_processes	Enumeration of services hosted in processes can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = enumerates services hosted in processes	endpoint
Enumerates System Info	enumerates_system_info	Enumeration of system information can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates system info	endpoint
Enumerates Trusted Domains	enumerates_trusted_domains	Enumeration of trusted domains can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = enumerates trusted domains	endpoint
Etc Password Get Request	nw50005	Detects a get request for "/etc/passwd"	log, packet	action on objectives, attack phase, data exfiltration, threat
Etc Shadow Get Request	nw50010	Detects attempted get request for /etc/shadow	log, packet	action on objectives, attack phase, data exfiltration, threat
Event Viewer Executes Uncommon Binary	event_viewer_executes_uncommon_binary	Event viewer executing uncommon binary can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = event viewer executes uncommon binary	endpoint
exe filetype but not exe extension	exe_filetype_but_not_exe_extension	An executable was detected in the session but no filename with an "exe" extension was seen in the same session.	packet	operations, event analysis, file analysis
Executable In ADS	executable_in_ads	Leveraging Alternate Data Streams can be a way to mask a malicious file inside a data stream of another binary, which can then be executed by launching the file it is forked into	endpoint
Exports Sensitive Registry Hive	exports_sensitive_registry_hive	Exporting sensitive registry hive can be indication of someone trying to exploit these credentials and registry values to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = exports sensitive registry hive	endpoint
Extracts Password-Protected Archive	extracts_password-protected_archive	Password-protected archive files can be used to secure sensitive data since contents cannot be examined. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = extracts password-protected archive	endpoint
File Encrypted	file_encrypted	File is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = file encrypted	endpoint
File Hidden	file_hidden	To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = file hidden	endpoint
File Path Not Part Of RPM	file_path_not_part_of_rpm	Installation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = file path not part of rpm	endpoint
File Path Not Part Of RPM In Important System Directory	file_path_not_part_of_rpm_in_important_system_directory	Installation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = file path not part of rpm in important system directory	endpoint
File Transport over ICMP	nw110025	Detects files transported over ICMP.	log, packet	event analysis, file analysis, operations
File Transport Over Unknown Protocol	nw110030	Detects files transported over unknown protocols.	packet	event analysis, operations, protocol analysis
File Vault Disabled	file_vault_disabled	FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. Disabling this feature will decrypt the information on your startup disk.	endpoint
Filter Adobe Updates	nw140050	Filters executables associated with Adobe Updates	packet	event analysis, filters, operations
Filter Google Updates	nw140020	Filters executable updates for google tools	packet	event analysis, filters, operations
Filter Intel Updates	nw140035	Filters executables associated with Intel Updates	packet	event analysis, filters, operations
Filter Java Updates	nw140015	Filters executables involved with java updates	packet	event analysis, filters, operations
Filter Macromedia Updates	nw140030	Filters macromedia update executables	packet	event analysis, filters, operations
Filter Mcafee Updates	nw140045	Filters executables associated with Mcafee updates	packet	event analysis, filters, operations
Filter Skype Updates	nw140010	Filters skype update executables.	packet	event analysis, filters, operations
Filter Symantec Updates	nw140025	Filters Symantec Update executables	packet	event analysis, filters, operations
Filter VMWare Updates	nw140040	Filters executables associated with VMWare Updates	packet	event analysis, filters, operations
Filter Windows Updates	nw140005	Filters executable downloads from Windows Update.	packet	event analysis, filters, operations
Floating Module	floating_module	Detects a floating code module as a result of DLL injection. This may result in an attacker gaining access to internal resources, escalating privileges or disguising malicious behavior under a legitimate process.	endpoint
Floating Module And Hooking	floating_module_and_hooking	Detects floating code as a result of hooking. The attacker masks malicious behavior under the process.	endpoint
Floating Module In Browser Process	floating_module_in_browser_process	Detects a floating code module as a result of DLL injection. The attacker masks malicious behavior under the legitimate browser process.	endpoint
Floating Module In OS Process	floating_module_in_os_process	Detects a floating code module as a result of DLL injection. The attacker masks malicious behavior under the legitimate OS process.	endpoint
Gatekeeper Disabled	gatekeeper_disabled	Gatekeeper is a security feature of the Mac OS operating system. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware.	endpoint
Gets Current User As SYSTEM	gets_current_user_as_system	Trying to find current user as SYSTEM can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = gets current user as system	endpoint
Gets Current Username	gets_current_username	Trying to find current username information can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = gets current username	endpoint
Gets Current Username And Group Information	gets_current_username_and_group_information	Trying to find current username and group information can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = gets current username and group information	endpoint
Gets Hostname	gets_hostname	Enumeration of hostnames can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = gets hostname	endpoint
Gets Remote Time	gets_remote_time	getting remote time can be an indication of someone trying to gather information that could be useful for performing other techniques, such as executing a file with a Scheduled Task, or to discover locality information based on time zone to assist in victim targeting. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = gets remote time	endpoint
GINA Replacement	gina_replacement	GINA is the Graphical Identification and Authentication component of Windows and handles the logon screen that we're all familiar with. GINA DLL can be replaced with another DLL to intercept credentials. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = gina replacement	endpoint
Graylisted File	graylisted_file	An analyst may mark files as graylisted within NetWitness Endpoint. If actions on an endpoint involve those graylisted files as the source, then this rule will trigger. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = graylisted file	endpoint
Hidden In AppData	hidden_in_appdata	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.	endpoint
Hidden Plist And Autorun	hidden_plist_and_autorun	plist (Property List) is a flexible and convenient format for storing application data. Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hidden plist and autorun	endpoint
Hidden Running As Root	hidden_running_as_root	A file is typically hidden to prevent users from accidentally changing them on a filesystem. A hidden file running with root privileges may indicate an attacker behavior to evade detection and install malware to maintain persistence.	endpoint
High Risk File From Blacklisted Host	nw20065	Executable download from a host on a blacklist feed.	packet	attack phase, delivery, threat
Hooks Audio Output Function	hooks_audio_output_function	A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks audio output function	endpoint
Hooks Authentication Function	hooks_authentication_function	A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks authentication function	endpoint
Hooks Crypto Function	hooks_crypto_function	A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks crypto function	endpoint
Hooks DnsQuery Function	hooks_dnsquery_function	A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks dnsquery function	endpoint
Hooks GUI Function	hooks_gui_function	A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks gui function	endpoint
Hooks Network HTTP Function	hooks_network_http_function	A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks network http function	endpoint
Hooks Network IO Function	hooks_network_io_function	A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks network io function	endpoint
Hooks NtLdr Function	hooks_ntldr_function	A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks ntldr function	endpoint
Hooks Registry Access Function	hooks_registry_access_function	A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks registry access function	endpoint
Hooks Registry Enumeration Function	hooks_registry_enumeration_function	A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = hooks registry enumeration function	endpoint
HTTP Daemon Runs Command Prompt	http_daemon_runs_command_prompt	HTTP daemon running command prompt can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = http daemon runs command prompt	endpoint
HTTP Daemon Runs Powershell	http_daemon_runs_powershell	HTTP daemon running powershell can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = http daemon runs powershell	endpoint
HTTP Daemon Runs Reconnaissance Tool	http_daemon_runs_reconnaissance_tool	HTTP daemon running reconnaissance tool can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = http daemon runs reconnaissance tool	endpoint
HTTP Daemon Writes Executable	http_daemon_writes_executable	HTTP daemon running writing executable can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = http daemon writes executable	endpoint
HTTP over Non-Standard Port	nw60020	http traffic over a port other than 80	packet	event analysis, operations, protocol analysis
HttpBrowser Malware	nw22325	Detects malicious outbound traffic between HttpBrowser Malware variants and command and control server. Either the HTTP_lua or HTTP native parser is required. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/02/10/detecting-httpbrowser-variants-using-security-analytics	packet	malware, threat, remote access trojans
IE DEP Disabled	ie_dep_disabled	Disabling IE DEP can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = ie dep disabled	endpoint
IE Enhanced Security Disabled	ie_enhanced_security_disabled	Disabling IE enhanced security can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = ie enhanced security disabled	endpoint
In AppData Directory	in_appdata_directory	These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in appdata directory	endpoint
In Hidden Directory	in_hidden_directory	To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in hidden directory	endpoint
In Recycle Bin Directory	in_recycle_bin_directory	A file found in recycle bin directory may be suspicious.	endpoint
In Root Of AppDataLocal Directory	in_root_of_appdatalocal_directory	These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in root of appdatalocal directory	endpoint
In Root Of AppDataRoaming Directory	in_root_of_appdataroaming_directory	These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in root of appdataroaming directory	endpoint
In Root Of Logical Drive	in_root_of_logical_drive	While the majority of programs are stored in folders on a system, it is uncommon to see a binary in the root of for example, "C:" directory. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = in root of logical drive	endpoint
In Root Of Program Directory	in_root_of_program_directory	These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in root of program directory	endpoint
In Root Of Users Directory	in_root_of_users_directory	These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file boc = in root of users directory	endpoint
In System Volume Information Directory	in_system_volume_information_directory	VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in system volume information directory	endpoint
In Temporary Directory	in_temporary_directory	These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = in temporary directory	endpoint
In Uncommon Directory	in_uncommon_directory	A file found in an uncommon directory may be suspicious.	endpoint
Installs Root Certificate	installs_root_certificate	Installing root certificate on a compromised system can be an indication of an adversary trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = installs root certificate	endpoint
Invalid Signature	invalid_signature	This indicates that code may have been altered or corrupted since it was signed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = invalid signature	endpoint
IRC File Transfer	nw00015	Rules looks for file transfers via IRC	packet	event analysis, operations, protocol analysis
Kext Signature Validation Disabled	kext_signature_validation_disabled	Kext signature validation is a code signing requirement for all extensions and drivers located in the extensions folder. Disabling that feature may expose the system to unsigned rootkits or other malware.	endpoint
KeyBase Keylogger	nw22340	Detects malicious outbound traffic between KeyBase Keylogger and command and control server. Either the HTTP_lua or HTTP native parser and traffic_flow parser is required. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/06/25/detecting-keybase-variants-using-security-analytics	packet	key loggers, malware, threat
Large Outbound Encrypted session	nw110045	Detects an Outbound encrypted session where the data size is greater than 5MB.	packet	action on objectives, assurance, attack phase, compliance, corporate, data exfiltration, threat
Large Outbound Session	nw110060	Detects outbound session (encrypted or non-encrypted) where the data size is greater than 5MB. DEPENDENCIES Lua Parsers: * traffic_flow Feeds: * Investigation * Hunting GENERATED META KEYS boc = large outbound data transfer inv.category = assurance *inv.context = compliance, corporate	packet	action on objectives, assurance, attack phase, compliance, corporate, data exfiltration, threat
LD Preload	ld_preload	Environment variables can be used to dynamically load a library in a process which can be used to intercept API calls from the running process.	endpoint
Library Preferences Directory	library_preferences_directory	"Adversaries can use list of specific applications to run when a user logs in. These login items are stored in the users ~/Library/Preferences/ directory in a plist file called com.apple.loginitems.plist VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = library preferences directory"	endpoint
Lists Anti-Spyware Products	lists_anti-spyware_products	Listing anti-spyware products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = lists anti-spyware products	endpoint
Lists Antivirus Products	lists_antivirus_products	Listing antivirus products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = lists antivirus products	endpoint
Lists Firewall Products	lists_firewall_products	Listing firewall products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = lists firewall products	endpoint
Locky Malware	nw22355	Detects malicious outbound traffic between a system infected with Locky Ransomware and command and control server. REFERENCES Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/10/03/nemucod-and-locky DEPENDENCIES Lua Parsers * HTTP_lua * traffic_flow Feeds * NetWitness GENERATED META KEYS * ioc = locky malware * inv.category = threat * inv.context = malware, crimeware	packet	crimeware, malware, threat
Login Bypass Configured	login_bypass_configured	Accessibility features that may be launched with a key combination before a user has logged in . A login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = login bypass configured	endpoint
LSASS Access	lsass_access	Detects suspicious access to lsass.exe through sysmon logs. This process access indicates probable credential dumping. DEPENDENCIES Log Parsers: * At least one of the Windows log device parsers Feeds: * Investigation GENERATED META KEYS * ioc = lsass access * inv.category = identity, threat * inv.context = attack phase, action on objectives, lateral movement	log	action on objectives, attack phase, identity, lateral movement, threat
LUA Disabled	lua_disabled	Windows User Account Controls (UAC) will not notify the user when programs try to make changes to the computer. UAC was formerly known as Limited User Account (LUA). This can be an attempt to bypass UAC. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = lua disabled	endpoint
Mac Firewall Disabled	mac_firewall_disabled	Disabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.	endpoint
Malicious File By Reputation Service	malicious_file_by_reputation_service	Files reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = malicious file by reputation service	endpoint
Maps Administrative Share	maps_administrative_share	Mapping administrative share can be an indicator of someone trying for lateral movement or privilege escalation by using hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions	endpoint
Maps IPC$ Share	maps_ipc$_share	Mapping IPC$ share can be an indicator of someone trying for lateral movement or privilege escalation by using hidden IPC$ shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = maps ipc$ share	endpoint
Mirage Malware	nw22305	Detects malicious outbound traffic due to installation of Mirage malware. The HTTP_lua parser is a required dependency. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/11/10/detecting-mirage-variants-using-security-analytics	packet	malware, threat, remote access trojans
Misleading File Extension	misleading_file_extension	Misleading file extension can be an indication of someone pretending to be an authorized file extension in order to gain access or to gain greater privileges than authorized. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = misleading file extension	endpoint
Modifies Registry Using Command-Line Registry Tool	modifies_registry_using_command-line_registry_tool	Modifying registry using command-line registry tool can be an indication of adversaries trying to interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = modifies registry using command-line registry tool	endpoint
Modifies Run Key	modifies_run_key	Modifying run key can be an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = modifies run key	endpoint
Modifies Shell-Open-Command File Association	modifies_shell-open-command_file_association	File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access. Modifying shell-open-command file association can be an attempt to execute arbitrary commands in order to maintain persistence and remain undetected. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = modifies shell-open-command file association	endpoint
Mshta Runs Command Prompt	mshta_runs_command_prompt	Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run a command prompt. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = mshta runs command prompt	endpoint
Mshta Runs Powershell	mshta_runs_powershell	Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run powershell. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = mshta runs powershell	endpoint
Mshta Runs Scripting Engine	mshta_runs_scripting_engine	Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to execute a scripting engine. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = mshta runs scripting engine	endpoint
Mshta Writes Executable	mshta_writes_executable	Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to write an executable. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = mshta writes executable	endpoint
Named Pipe into LSASS	named_pipe_into_lsass	Detects when a suspicious Named Pipe is created or connected to target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping. DEPENDENCIES Log Parsers: * At least one of the Windows log device parsers Feeds: * Investigation GENERATED META KEYS * ioc = named pipe into lsass * inv.category = identity, threat * inv.context = attack phase, action on objectives, lateral movement	log	action on objectives, attack phase, identity, lateral movement, threat
NetTraveler Malware	nw22345	Detects malicious outbound traffic between Malware NetTraveler and command and control server. Either the HTTP_lua or HTTP native parser and traffic_flow parser is required. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/thread/185492	packet	malware, threat, remote access trojans
Network Access	network_access	A process is trying to get network access. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = network access	endpoint
NGINX HTTP Server	nw30015	Detects web servers running nginx, which is often used for malicious purposes.	log, packet	application analysis, event analysis, operations
No Antivirus Notification Disabled	no_antivirus_notification_disabled	Disabling no antivirus notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = no antivirus notification disabled	endpoint
No Firewall Notification Disabled	no_firewall_notification_disabled	Disabling no firewall notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = no firewall notification disabled	endpoint
No UAC Notification Disabled	no_uac_notification_disabled	Disabling no UAC notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = no uac notification disabled	endpoint
No Windows Update Notification Disabled	no_windows_update_notification_disabled	Disabling no Windows update notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * eoc = no windows update notification disabled	endpoint
Non-Microsoft Modifies Bad Certificate Warning Setting	non-microsoft_modifies_bad_certificate_warning_setting	Non-Microsoft modifing bad certificate warning setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies bad certificate warning setting	endpoint
Non-Microsoft Modifies Firewall Policy	non-microsoft_modifies_firewall_policy	Non-Microsoft modifing firewall policy can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies firewall policy	endpoint
Non-Microsoft Modifies Internet Zone Setting	non-microsoft_modifies_internet_zone_setting	Adding firewall rule can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies internet zone setting	endpoint
Non-Microsoft Modifies LUA Setting	non-microsoft_modifies_lua_setting	Non-Microsoft modifing LUA setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies lua setting	endpoint
Non-Microsoft Modifies Registry Editor Setting	non-microsoft_modifies_registry_editor_setting	Non-Microsoft modifing registry editor setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies registry editor setting	endpoint
Non-Microsoft Modifies Security Center Config	non-microsoft_modifies_security_center_config	Non-Microsoft modifing security center config can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies security center config	endpoint
Non-Microsoft Modifies Services ImagePath	non-microsoft_modifies_services_imagepath	Non-Microsoft modifing services ImagePath can be an indication of someone trying to modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies services imagepath	endpoint
Non-Microsoft Modifies Task Manager Setting	non-microsoft_modifies_task_manager_setting	Non-Microsoft modifing task manager setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies task manager setting	endpoint
Non-Microsoft Modifies Windows System Policy	non-microsoft_modifies_windows_system_policy	Non-Microsoft modifieing windows system policy can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies windows system policy	endpoint
Non-Microsoft Modifies Zone Crossing Warning Setting	non-microsoft_modifies_zone_crossing_warning_setting	Non-Microsoft modifing zone crossing warning setting can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = non-microsoft modifies zone crossing warning setting	endpoint
Non-Standard Port Use - DHCP	nw60035	Identifies dhcp traffic over a port that is not typically used for dhcp	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - FTP	nw60015	ftp over ports other than TCP 21	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - H323	nw60095	Identifies h323 traffic over a port that is not typically used for h323.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - IRC	nw60110	Identifies irc traffic over a port that is not typically used for irc.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - NetBios	nw60060	Identifies netbios traffic over a port that is not typically used for netbios.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - NNTP	nw60050	Identifies nntp traffic over a port that is not typically used for nntp.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - POP3	nw60045	Identifies pop3 traffic over a port that is not typically used for pop3.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - RIP	nw60080	Identifies rip traffic over a port that is not typically used for rip.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - RPC	nw60055	Identifies rpc traffic over a port that is not typically used for rpc.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - RTP	nw60100	Identifies rto traffic over a port that is not typically used for rtp.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - SIP	nw60105	Identifies sip traffic over a port that is not typically used for sip	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - SMB	nw60065	Identifies smb traffic over a port that is not typically used for smb.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - SMTP	nw60030	Identifies smtp traffic over a port that is not typically used for smtp.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - SNMP	nw60070	Identifies snmp traffic over a port that is not typically used for snmp.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - SSH	nw60025	Identifies ssh traffic over a port that is not typically used for ssh.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - SSL	nw60075	Identifies ssl traffic over a port that is not typically used for ssl.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - TDS	nw60085	Identifies tds traffic over a port that is not typically used for tds.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - Telnet	nw60010	telnet over ports other than TCP 23	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - TFTP	nw60040	Identifies tftp traffic over a port that is not typically used for tftp.	packet	event analysis, operations, protocol analysis
Non-Standard Port Use - TNS	nw60090	Identifies tns traffic over a port that is not typically used for tns.	packet	event analysis, operations, protocol analysis
NTDSXTRACT Tool Download	nw110130	Detects an internal network session download of NTDSXTRACT. NTDSXTRACT is a tool framework for extracting data from the active directory database file NTDS.DIT.At least one of the network parsers supporting meta of action and filename is required,which may include HTTP, FTP, IRC and NFS.	packet	action on objectives, application analysis, attack phase, data exfiltration, event analysis, operations, threat
NTP DDoS Attack 234-byte Request: Netflow	nw50032	10.4 or higher.Detects UDP/123 traffic with a 234-byte payload over Netflow. This is indicative of an NTP request generated by a monlist command.	log	action on objectives, attack phase, denial of service, threat
NTP DDoS Attack 234-byte Request: Packets	nw50022	Detects UDP/123 traffic with a 234-byte payload. This is indicative of an NTP request generated by a monlist command.	packet	action on objectives, attack phase, denial of service, threat
NTP DDoS Attack 50-byte Request: Netflow	nw50030	10.4 or higher.Detects UDP/123 traffic with a 50-byte payload over Netflow. This is indicative of a potential NTP DDoS attack tool.	log	action on objectives, attack phase, denial of service, threat
NTP DDoS Attack 50-byte Request: Packets	nw50020	Detects UDP/123 traffic with a 50-byte payload. This is indicative of a potential NTP DDoS attack tool.	packet	action on objectives, attack phase, denial of service, threat
NTP DDoS Attack 60-byte Request: Netflow	nw50031	10.4 or higher.Detects UDP/123 traffic with a 60-byte payload over NetFlow. This is indicative of the NTP request size initiated by the ntpdos.py attack script.	log	action on objectives, attack phase, denial of service, threat
NTP DDoS Attack 60-byte Request: Packets	nw50021	Detects UDP/123 traffic with a 60-byte payload. This is indicative of the NTP request size initiated by the ntpdos.py attack script.	packet	action on objectives, attack phase, denial of service, threat
NWFL_access:data-access	NWFL_DataAccess	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_access:privilege-escalation-failure	NWFL_PrivEscalateFail	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_access:privilege-escalation-success	NWFL_PrivEscalateSuccess	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_access:remote-failure	NWFL_RemoteAccessFail	NWFL App Rule to support Informer Reports	log	assurance, audit, authentication, compliance, identity
NWFL_access:remote-success	NWFL_RemoteAccessSuccess	NWFL App Rule to support Informer Reports	log	assurance, audit, authentication, compliance, identity
NWFL_access:user-access-revoked	NWFL_UserAccessRevoke	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_account:account-disabled	NWFL_AccountDisabled	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_account:auth-success	NWFL_AuthSuccess	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_account:created	NWFL_AccountCreated	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_account:deleted	NWFL_AccountDeleted	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_account:group-management	NWFL_GroupMgmt	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_account:login-and-logout	NWFL_LoginLogout	NWFL App Rule to support Informer Reports	log	assurance, audit, authentication, compliance, identity
NWFL_account:logon-failure	NWFL_LoginFailure	NWFL App Rule to support Informer Reports	log	assurance, audit, authentication, compliance, identity
NWFL_account:logon-success	NWFL_LoginSuccess	NWFL App Rule to support Informer Reports	log	assurance, audit, authentication, compliance, identity
NWFL_account:logon-success-direct-access	NWFL_LoginDirectAccessSuccess	NWFL App Rule to support Informer Reports	log	assurance, audit, authentication, compliance, identity
NWFL_account:logout	NWFL_Logout	NWFL App Rule to support Informer Reports	log	assurance, audit, authentication, compliance, identity
NWFL_account:modified	NWFL_AccountModified	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_account:password-change	NWFL_PasswordChange	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_account:user-accessing-file-servers	NWFL_UserAccessFilesrv	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_alm:cardholder-data	NWFL_AccessCardholderData	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_alm:error-event-types	NWFL_ErrorEventTypes	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_alm:firmware-config-changes	NWFL_FirmwareConfigChange	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_alm:inbound-network-traffic	NWFL_InboundTraffic	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance, event analysis, flow analysis, operations
NWFL_alm:outbound-network-traffic	NWFL_OutboundTraffic	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance, event analysis, flow analysis, operations
NWFL_alm:system-clock-synch	NWFL_ClockSynch	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_av:signature-update	NWFL_AVSignatureUpdate	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance, risk, vulnerability management
NWFL_av:virus-summary	NWFL_AVSummary	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_config:change-audit-setting	NWFL_AuditSettingChange	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_config:config-changes	NWFL_ConfigChanges	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_config:fw-config-changes	NWFL_FirewallConfigChange	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_config:router-change	NWFL_RouterConfigChange	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_encryption:failures	NWFL_EncryptFailures	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_encryption:key-gen-and-changes	NWFL_EncryptKeyGenChanges	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_encryption:success	NWFL_EncryptSuccess	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_fw:categories	NWFL_FirewallRuleCat	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_fw:inbound-network-traffic	NWFL_FWInboundTraffic	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance, event analysis, flow analysis, operations
NWFL_fw:outbound-network-traffic	NWFL_FWOutboundTraffic	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance, event analysis, flow analysis, operations
NWFL_fw:url-block	NWFL_URLBlock	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_fw:url-filetypes	NWFL_URLFiletypes	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance, event analysis, file analysis, operations
NWFL_host:windows:account-disabled	NWFL_WinAcctDisabled	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_host:windows:file-access	NWFL_WinFileAccess	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_host:windows:local-group-account-changes	NWFL_WinLocalGrpChange	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_host:windows:user-group-account-changes	NWFL_WinUsrGroupChange	NWFL App Rule to support Informer Reports	log	assurance, audit, authorization, compliance, identity
NWFL_intrusion:all-activity	NWFL_IntrusionAllActivity	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_ops:mailserver-errors	NWFL_MailserverErrors	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
NWFL_wireless:AdminOperations	NWFL_WirelessAdminOps	NWFL App Rule to support Informer Reports	log	assurance, audit, compliance
Office Application Crashed	office_application_crashed	Microsoft Office application crashes can happen fairly frequently, but this may be interesting in combination with other indicators involving those applications. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application crashed	endpoint
Office Application Injects Remote Process	office_application_injects_remote_process	A Microsoft Office application injecting a remote process may indicate a spearphishing attachment with a malicious payload. Process injection may enable an attacker to gain access to system resources or elevate privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application injects remote process	endpoint
Office Application Runs BITS	office_application_runs_bits	A Microsoft Office application running Background Intelligent Transfer Service (BITS) may indicate a spearphishing attachment with a malicious payload. BITS may be used to exfiltrate data outside the environment. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs bits	endpoint
Office Application Runs Command Prompt	office_application_runs_command_prompt	A Microsoft Office application running the command prompt may indicate a spearphishing attachment with a malicious payload has been executed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs command prompt	endpoint
Office Application Runs Powershell	office_application_runs_powershell	A Microsoft Office application running powershell may indicate a spearphishing attachment with a malicious payload has been executed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs powershell	endpoint
Office Application Runs Scripted FTP	office_application_runs_scripted_ftp	A Microsoft Office application running scripted FTP may indicate a spearphishing attachment with a malicious payload. FTP may be used to exfiltrate data outside the environment. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs scripted ftp	endpoint
Office Application Runs Scripting Engine	office_application_runs_scripting_engine	A Microsoft Office application running a scripting engine may indicate a spearphishing attachment with a malicious payload has been executed. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs scripting engine	endpoint
Office Application Runs Task Scheduler	office_application_runs_task_scheduler	A Microsoft Office application running a job or scheduling a task may indicate a spearphishing attachment with a malicious payload. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs task scheduler	endpoint
Office Application Runs WMI Scripting Engine	office_application_runs_wmi_scripting_engine	A Microsoft Office application running Windows Management Instrumentation (WMI) may indicate a spearphishing attachment with a malicious payload. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application runs wmi scripting engine	endpoint
Office Application Writes Executable	office_application_writes_executable	A Microsoft Office application writing an executable may indicate a spearphishing attachment with a malicious payload. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = office application writes executable	endpoint
Only ACK Flag Set in Session Containing Payload	nw30005	Alerts when sessions containing payload have only ACK flag set.	packet	event analysis, operations, protocol analysis
Opens Browser Process	opens_browser_process	When a file not digitally signed by apple opens broswer process it might indicate adversary effort for process injection into browser. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = opens browser process	endpoint
Opens OS Process	opens_os_process	This may indicate Process injection which is a method of executing arbitrary code in the address space of a separate live process. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = opens os process	endpoint
Opens Process	opens_process	This may indicate Process injection which is a method of executing arbitrary code in the address space of a separate live process. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = opens process	endpoint
Outbound MS Outlook PFF file	nw110085	Detects outbound MS Outlook PFFs (Personal Folder Files). It does not differentiate between type of PFF (e.g.: .pst, .ost, .pab).NOTE: This depends on the Lua parser - fingerprint_pff.lua - for detecting PFF filetype. This parser needs to be enabled in order for this rule to work.	log, packet	action on objectives, attack phase, data exfiltration, threat
Outbound Session Greater Than 1GB	outbound_session_greater_than_1gb	Detects and generates meta after a session with a high percentage of payload transmitted outbound reaches 1GB, 2GB and 3GB. VERSIONS SUPPORTED * 10.5 and higher CONFIGURATION By default, the Decoders capture buffer size is 32MB. If you have modified this setting, then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the NetWitness Suite UI > Administration > Services > Explore > decoder > config > capture.buffer.size. DEPENDENCIES Lua Parsers: * traffic_flow * session_analysis GENERATED META KEYS * boc = outbound session greater than 1gb	packet	action on objectives, attack phase, data exfiltration, threat
Outbound Session Greater Than 500MB	outbound_session_greater_than_500mb	Detects and generates meta after a session with a high percentage of payload transmitted outbound reaches 500MB. VERSIONS SUPPORTED * 10.5 and higher CONFIGURATION By default, the Decoders capture buffer size is 32MB. If you have modified this setting, then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the NetWitness Suite UI > Administration > Services > Explore > decoder > config > capture.buffer.size. DEPENDENCIES Lua Parsers: * traffic_flow * session_analysis GENERATED META KEYS * boc = outbound session greater than 500mb	packet	action on objectives, attack phase, data exfiltration, threat
Packed	packed	Malware may use packing applications to repackage itself frequently to evade threat detection solutions based on static signatures. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = packed	endpoint
Packed And Autorun	packed_and_autorun	Adversaries use Software packing to compress or encrypt an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. To ensure persistence across reboots attackers configure to run those on system startup. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = packed and autorun	endpoint
Packed And Network Access	packed_and_network_access	Adversaries use software packing to compress or encrypt an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. This file is trying to gain access to the network. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = packed and network access	endpoint
Pass the Hash	pass_the_hash	Indicates a possible pass-the-hash attack on a Windows system configured to use the NTLM authentication protocol. The rule reduces false positives by excluding anonymous logons, domain controller and machine logons and those that are not local accounts. It is recommended to exclude the domain for which the domain controller is responsible within the rule logic, since an attacker would typically not have this information and it could increase rule accuracy. VERSIONS SUPPORTED NetWitness 11.3 and higher CONFIGURATION Customize this rule to exclude your domain from matching. To do this, modify the expression within the rule, domain.all != 'yourdomain.com'. Replace 'yourdomain.com' with the domain(s) you wish to exclude. DEPENDENCIES Log Parsers: * At least one of the Windows log device parsers Feeds: * Investigation GENERATED META KEYS * ioc = pass the hash * inv.category = identity, threat * inv.context = attack phase, action on objectives, authentication, lateral movement	log	action on objectives, attack phase, authentication, identity, lateral movement, threat
Passwords over FTP	nw120010	Identifies plaintext FTP logins	packet	assurance, audit, compliance, corporate, organizational hazard
Passwords over HTTP	nw120005	Identifies plaintext HTTP logins	packet	assurance, audit, compliance, corporate, organizational hazard, risk
Passwords Over Other Protocols	nw120030	Identifies plaintext logins with an unidentified service type.	packet	assurance, audit, compliance, corporate, organizational hazard
Passwords Over Pop3	nw120020	Identifies plaintext pop3 logins	packet	assurance, audit, compliance, corporate, organizational hazard
Passwords Over SMTP	nw120025	Identifies plaintext SMTP logins	packet	assurance, audit, compliance, corporate, organizational hazard
Passwords Over Telnet	nw120015	Identifies plaintext telnet logins	packet	assurance, audit, compliance, corporate, organizational hazard
Performs Scripted File Transfer	performs_scripted_file_transfer	Scripts may be used to transfer files over FTP during the course of an attack or for executing command and control instructions. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = performs scripted file transfer	endpoint
php botnet beaconing w	nw02635	detects botnet beaconing with w=188 in the query string.	packet	attack phase, command and control, threat
php ini checkin	nw02645	Detects botnet traffic that uses PHP and .ini files for checkin traffic.	log, packet	attack phase, command and control, threat
php put to wordpress plugin dir	nw02580	Detects PHP puts to WordPress plugin directoires. This behavior has been observed by RSA-FirstWatch as potential malware traffic.	log, packet	attack phase, command and control, threat
php put with 40x error	nw02575	Detects PHP puts that create 4 series errors. This may indicate suspicoius or botnet check-in traffic.	packet	attack phase, command and control, threat
Possible Login Bypass	possible_login_bypass	Accessibility features that may be launched with a key combination before a user has logged in . Possible login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = possible login bypass	endpoint
Possible Mimikatz Activity	possible_mimikatz_activity	Mimikatz has become an extremely effective attack tool against Windows clients. Mimikatz activity can be a strong indication of someone trying to dump credentials locally or remotely using powershell Mimikatz tool to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = possible mimikatz activity	endpoint
Possible RDP Session Hijacking	possible_rdp_session_hijacking	Possible RDP session hijacking can be indication of adversaries trying to connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence or perform RDP session hijacking which involves stealing a legitimate user's remote session. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * ioc = possible rdp session hijacking	endpoint
Possibly Configures UAC Bypass	possibly_configures_uac_bypass	Configuring UAC can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = possibly configures uac bypass	endpoint
Possibly Renamed net.exe Detected	possibly_renamed_net.exe_detected	Presence of renamed net.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = possibly renamed net.exe detected	endpoint
PowerShell Command Using String Manipulation	powershell_command_using_string_manipulation	String manipulation can be used to obfuscate PowerShell commands to escape detection. These obfuscated commands can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = powershell command using string manipulation	endpoint
Powershell Injects Remote Process	powershell_injects_remote_process	Powershell injecting remote process can be an indication of someone trying to create and run malicious processes remotely, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = powershell injects remote process	endpoint
Powershell Opens LSASS Process	powershell_opens_lsass_process	Powershell running LSASS process can be an indication of someone trying to dump credentials locally or remotely, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = powershell opens lsass process	endpoint
Powershell Runs Command Prompt	powershell_runs_command_prompt	Powershell running command prompt can be an indication of someone trying to run malicious commands using to compromise the system or the user, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = powershell runs command prompt	endpoint
Powershell Runs Scripting Engine	powershell_runs_scripting_engine	Powershell running scripting engine can be an indication of someone trying to run malicious scripts to compromise the system or the user, which can be further used to gain access, to do lateral movement or to gain elevated privileges. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = powershell runs scripting engine	endpoint
Process Authorized In Firewall	process_authorized_in_firewall	Firewall allows process access based on details about the process and access control policy in use. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = process authorized in firewall	endpoint
Proxy Anonymous Services	nw110065	Detects use of common proxy services using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.	log, packet	assurance, compliance, corporate, organizational hazard, risk
Proxy Client Download	nw110070	Detects proxy client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required.	log, packet	application analysis, assurance, compliance, corporate, event analysis, operations, organizational hazard, risk
Psexesvc Runs Powershell	psexesvc_runs_powershell	Psexesvc running powershell can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = psexesvc runs powershell	endpoint
Psexesvc Runs Scripting Engine	psexesvc_runs_scripting_engine	Psexesvc running scripting engine can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = psexesvc runs scripting engine	endpoint
Psexesvc Runs Shell Commands	psexesvc_runs_shell_commands	Psexesvc running shell commands can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = psexesvc runs shell commands	endpoint
qq download client	nw02615	detects download of the QQ chinese instant messaging client.	log, packet	assurance, organizational hazard, risk
Queries Cached Kerberos Tickets	queries_cached_kerberos_tickets	Querying cached kerberos tickets can be attempt to obtain account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = queries cached kerberos tickets	endpoint
Queries Processes On Local System	queries_processes_on_local_system	Processing queries on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * analysis.file = queries processes on local system	endpoint
Queries Processes On Remote System	queries_processes_on_remote_system	Processing queries on remote system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. VERSIONS SUPPORTED * NetWitness Platform 11.3 and higher DEPENDENCIES * NetWitness Endpoint Server GENERATED META KEYS * boc = queries processes on remote system	endpoint
Queries Registry Using Command-Line Registry Tool	queries_registry_using_command-line_registry_tool