The following table lists all of the delivered RSA Application Rules.
Note: For content that has been discontinued, see Discontinued Content.
| Display Name | File Name | Description | Medium | Tags |
|---|---|---|---|---|
| Archive Extension Mismatch | nw20080 | creates meta when a rar or zip file is detected without a rar or zip file extension | packet | event analysis, file analysis, operations |
| Archive From IP Address | nw20085 | archive directly from an ip address with no corresponding alias.host meta. Often indicative of a second stage tool download after a foothold has been established. | packet | attack phase, delivery, threat |
| Attachment Overload | nw00005 | Rule looks for more than 4 attachments in a single session. | packet | event analysis, file analysis, operations |
| Bozok RAT Acquisition | nw90001 | Detects web traffic from an internal IP address to the following URL: http://ss-rat.blogspot.com. | log, packet | malware, remote access trojans, threat |
| BYOD Mobile Web Agent Detected | nw110125 | Detects use of a web browsing agent for a mobile device. The following is the list of strings looked for within the "client" meta key to indicate mobile browsing: "iPad", "iPhone", "iPod", "Android", "BlackBerry", "Mobile", "Opera Mobi", "Opera Mini", "Symbian", "GoBrowser", "Minimo", "Netfront", "Skyfire", "SEMC-Browser". | log, packet | assurance, compliance, corporate |
| Cerber Ransomware | nw22350 | Detects a set of pay-site hosts for Cerber ransomware that correlate to embedded configuration files for the malware's set up of bitcoin wallets for each victim. This rule matches when the 'alias.host' (packet) or 'fqdn' (web logs) begins with one of the identified pay-sites. Reference these RSA Link blog posts from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/09/27/the-evolution-of-cerber https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410 Dependencies: - (Packet) HTTP_lua parser - (Logs) At least one web log event source - September 2016 or later release. Prior to 10.6.2, the Envision Config File from Live for the FQDN meta key configuration. Meta Keys: - Risk Warning = cerber ransomware - Indicators of Compromise = cerber ransomware | log, packet | featured, crimeware, malware, threat |
| Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow | nw125025 | Customers who deploy either Cisco IPS or SourceFire Defense Center may benefit from this log-based Application Rule written to detect indicators to CVE-2016-1287: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow. SourceFire signature IDs utilized to detect this vulnerability are '1:36903' and '1:37674' while Cisco IPS signature IDs are 7169-0 and 7169-1. | log | attack phase, exploit, threat |
| Cmstar Malware | nw22310 | Detects malicious traffic between command and control server and custom downloader cmstart variants. Either the HTTP_lua or HTTP native parser is required. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/09/30/detecting-cmstar-variants-using-security-analytics | packet | malware, threat, remote access trojans |
| CryptoShield Ransomware | nw22380 | CryptoShield ransomware is being distributed through sites that have been compromised so that when a visitor goes to the site, they will encounter the attack chain. Once the ransomware is executed on the victim's computer, it will generate a unique ID for the victim and an encryption key. This rule detects the upload of this key to the command and control server. DEPENDENCIES Lua Parsers: * HTTP_lua * Form_Data_lua * traffic_flow Feeds: * NetWitness GENERATED META KEYS * ioc = cryptoshield ransomware * inv.category = threat * inv.context = malware, crimeware | packet | crimeware, malware, threat |
| Cybergate RAT Download | nw110145 | Detects an internal network session download of the CyberGate RAT.A network parser that supports population of meta keys of "action" and "filename" is required.Examples of such network parsers are HTTP, FTP, IRC and NFS. | packet | malware, remote access trojans, threat |
| Daserf Malware | nw22315 | Detects malicious inbound and outbound traffic between backdoor/malware Daserf variants and command and control server domain over HTTP. The HTTP_lua parser is a required dependency. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/09/28/detecting-daserf-variants-using-security-analytics | packet | malware, threat, remote access trojans |
| DNS Hostnames Resolving Non-Routable IP | nw30010 | DNS names that resolve to non-routable IP address. Often used on parked domains. | packet | event analysis, operations, protocol analysis |
| DNS Over Non-Standard Port | nw60005 | DNS traffic over ports other than udp 53 | packet | event analysis, operations, protocol analysis |
| Dreambot Malware | nw22375 | The Dreambot is a banking trojan spreading via exploit kits and spam e-mails with tor communication and peer-to-peer functionality. This rule detects outbound beaconing activity from infected host. DEPENDENCIES Lua Parsers: * HTTP Lua * Traffic Flow Lua Feeds: * NetWitness GENERATED META KEYS * ioc = dreambot malware * inv.category = threat * inv.context = malware, crimeware | packet | crimeware, featured, malware, threat |
| Dyzap Malware | nw22365 | Dyzap has the ability to steal usernames and passwords of email, banking and social media accounts. Once the malware infects a victim machine, it starts sending data to its command and control server via an HTTP POST request. This rule detects a variant seen spreading through phishing email messages. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/11/18/detecting-a-dyzap-variant-using-rsa-netwitness The HTTP_lua and traffic_flow parser are required. | packet | crimeware, malware, threat, remote access trojans |
| Etc Password Get Request | nw50005 | Detects a get request for "/etc/passwd" | log, packet | action on objectives, attack phase, data exfiltration, threat |
| Etc Shadow Get Request | nw50010 | Detects attempted get request for /etc/shadow | log, packet | action on objectives, attack phase, data exfiltration, threat |
| exe filetype but not exe extension | exe_filetype_but_not_exe_extension | An executable was detected in the session but no filename with an "exe" extension was seen in the same session. | packet | operations, event analysis, file analysis |
| File Transport over ICMP | nw110025 | Detects files transported over ICMP. | log, packet | event analysis, file analysis, operations |
| File Transport Over Unknown Protocol | nw110030 | Detects files transported over unknown protocols. | packet | event analysis, operations, protocol analysis |
| File Vault Disabled | file_vault_disabled | File vault disabled. | log | assurance, endpoint |
| Filter Adobe Updates | nw140050 | Filters executables associated with Adobe Updates | packet | event analysis, filters, operations |
| Filter Google Updates | nw140020 | Filters executable updates for google tools | packet | event analysis, filters, operations |
| Filter Intel Updates | nw140035 | Filters executables associated with Intel Updates | packet | event analysis, filters, operations |
| Filter Java Updates | nw140015 | Filters executables involved with java updates | packet | event analysis, filters, operations |
| Filter Macromedia Updates | nw140030 | Filters macromedia update executables | packet | event analysis, filters, operations |
| Filter Mcafee Updates | nw140045 | Filters executables associated with Mcafee updates | packet | event analysis, filters, operations |
| Filter Skype Updates | nw140010 | Filters skype update executables. | packet | event analysis, filters, operations |
| Filter Symantec Updates | nw140025 | Filters Symantec Update executables | packet | event analysis, filters, operations |
| Filter VMWare Updates | nw140040 | Filters executables associated with VMWare Updates | packet | event analysis, filters, operations |
| Filter Windows Updates | nw140005 | Filters executable downloads from Windows Update. | packet | event analysis, filters, operations |
| Firewall Disabled | firewall_disabled | Endpoint firewall disabled. | log | endpoint, threat |
| High Risk File From Blacklisted Host | nw20065 | Executable download from a host on a blacklist feed. | packet | attack phase, delivery, threat |
| HTTP over Non-Standard Port | nw60020 | http traffic over a port other than 80 | packet | event analysis, operations, protocol analysis |
| HttpBrowser Malware | nw22325 | Detects malicious outbound traffic between HttpBrowser Malware variants and command and control server. Either the HTTP_lua or HTTP native parser is required. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/02/10/detecting-httpbrowser-variants-using-security-analytics | packet | malware, threat, remote access trojans |
| IRC File Transfer | nw00015 | Rules looks for file transfers via IRC | packet | event analysis, operations, protocol analysis |
| KeyBase Keylogger | nw22340 | Detects malicious outbound traffic between KeyBase Keylogger and command and control server. Either the HTTP_lua or HTTP native parser and traffic_flow parser is required. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/06/25/detecting-keybase-variants-using-security-analytics | packet | key loggers, malware, threat |
| Large Outbound Encrypted session | nw110045 | Detects an Outbound encrypted session where the data size is greater than 5MB. | packet | action on objectives, assurance, attack phase, compliance, corporate, data exfiltration, threat |
| Large Outbound Session | nw110060 | Detects outbound session (encrypted or non-encrypted) where the data size is greater than 5MB. DEPENDENCIES Lua Parsers: * traffic_flow Feeds: * Investigation * Hunting GENERATED META KEYS *boc = large outbound data transfer *inv.category = assurance *inv.context = compliance, corporate | packet | action on objectives, assurance, attack phase, compliance, corporate, data exfiltration, threat |
| Locky Malware | nw22355 | Detects malicious outbound traffic between a system infected with Locky Ransomware and command and control server. REFERENCES Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/10/03/nemucod-and-locky DEPENDENCIES Lua Parsers * HTTP_lua * traffic_flow Feeds * NetWitness GENERATED META KEYS * ioc = locky malware * inv.category = threat * inv.context = malware, crimeware | packet | crimeware, malware, threat |
| LSASS Access | lsass_access | Detects suspicious access to lsass.exe through sysmon logs. This process access indicates probable credential dumping. DEPENDENCIES Log Parsers: * At least one of the Windows log device parsers Feeds: * Investigation GENERATED META KEYS * ioc = lsass access * inv.category = identity, threat * inv.context = attack phase, action on objectives, lateral movement | log | action on objectives, attack phase, identity, lateral movement, threat |
| Mirage Malware | nw22305 | Detects malicious outbound traffic due to installation of Mirage malware. The HTTP_lua parser is a required dependency. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/11/10/detecting-mirage-variants-using-security-analytics | packet | malware, threat, remote access trojans |
| Named Pipe into LSASS | named_pipe_into_lsass | Detects when a suspicious Named Pipe is created or connected to target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping. DEPENDENCIES Log Parsers: * At least one of the Windows log device parsers Feeds: * Investigation GENERATED META KEYS * ioc = named pipe into lsass * inv.category = identity, threat * inv.context = attack phase, action on objectives, lateral movement | log | action on objectives, attack phase, identity, lateral movement, threat |
| NetTraveler Malware | nw22345 | Detects malicious outbound traffic between Malware NetTraveler and command and control server. Either the HTTP_lua or HTTP native parser and traffic_flow parser is required. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/thread/185492 | packet | malware, threat, remote access trojans |
| NGINX HTTP Server | nw30015 | Detects web servers running nginx, which is often used for malicious purposes. | log, packet | application analysis, event analysis, operations |
| Non-Standard Port Use - DHCP | nw60035 | Identifies dhcp traffic over a port that is not typically used for dhcp | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - FTP | nw60015 | ftp over ports other than TCP 21 | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - H323 | nw60095 | Identifies h323 traffic over a port that is not typically used for h323. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - IRC | nw60110 | Identifies irc traffic over a port that is not typically used for irc. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - NetBios | nw60060 | Identifies netbios traffic over a port that is not typically used for netbios. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - NNTP | nw60050 | Identifies nntp traffic over a port that is not typically used for nntp. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - POP3 | nw60045 | Identifies pop3 traffic over a port that is not typically used for pop3. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - RIP | nw60080 | Identifies rip traffic over a port that is not typically used for rip. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - RPC | nw60055 | Identifies rpc traffic over a port that is not typically used for rpc. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - RTP | nw60100 | Identifies rto traffic over a port that is not typically used for rtp. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - SIP | nw60105 | Identifies sip traffic over a port that is not typically used for sip | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - SMB | nw60065 | Identifies smb traffic over a port that is not typically used for smb. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - SMTP | nw60030 | Identifies smtp traffic over a port that is not typically used for smtp. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - SNMP | nw60070 | Identifies snmp traffic over a port that is not typically used for snmp. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - SSH | nw60025 | Identifies ssh traffic over a port that is not typically used for ssh. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - SSL | nw60075 | Identifies ssl traffic over a port that is not typically used for ssl. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - TDS | nw60085 | Identifies tds traffic over a port that is not typically used for tds. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - Telnet | nw60010 | telnet over ports other than TCP 23 | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - TFTP | nw60040 | Identifies tftp traffic over a port that is not typically used for tftp. | packet | event analysis, operations, protocol analysis |
| Non-Standard Port Use - TNS | nw60090 | Identifies tns traffic over a port that is not typically used for tns. | packet | event analysis, operations, protocol analysis |
| NTDSXTRACT Tool Download | nw110130 | Detects an internal network session download of NTDSXTRACT. NTDSXTRACT is a tool framework for extracting data from the active directory database file NTDS.DIT.At least one of the network parsers supporting meta of action and filename is required,which may include HTTP, FTP, IRC and NFS. | packet | action on objectives, application analysis, attack phase, data exfiltration, event analysis, operations, threat |
| NTP DDoS Attack 234-byte Request: Netflow | nw50032 | 10.4 or higher.Detects UDP/123 traffic with a 234-byte payload over Netflow. This is indicative of an NTP request generated by a monlist command. | log | action on objectives, attack phase, denial of service, threat |
| NTP DDoS Attack 234-byte Request: Packets | nw50022 | Detects UDP/123 traffic with a 234-byte payload. This is indicative of an NTP request generated by a monlist command. | packet | action on objectives, attack phase, denial of service, threat |
| NTP DDoS Attack 50-byte Request: Netflow | nw50030 | 10.4 or higher.Detects UDP/123 traffic with a 50-byte payload over Netflow. This is indicative of a potential NTP DDoS attack tool. | log | action on objectives, attack phase, denial of service, threat |
| NTP DDoS Attack 50-byte Request: Packets | nw50020 | Detects UDP/123 traffic with a 50-byte payload. This is indicative of a potential NTP DDoS attack tool. | packet | action on objectives, attack phase, denial of service, threat |
| NTP DDoS Attack 60-byte Request: Netflow | nw50031 | 10.4 or higher.Detects UDP/123 traffic with a 60-byte payload over NetFlow. This is indicative of the NTP request size initiated by the ntpdos.py attack script. | log | action on objectives, attack phase, denial of service, threat |
| NTP DDoS Attack 60-byte Request: Packets | nw50021 | Detects UDP/123 traffic with a 60-byte payload. This is indicative of the NTP request size initiated by the ntpdos.py attack script. | packet | action on objectives, attack phase, denial of service, threat |
| NWFL_access:data-access | NWFL_DataAccess | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_access:privilege-escalation-failure | NWFL_PrivEscalateFail | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_access:privilege-escalation-success | NWFL_PrivEscalateSuccess | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_access:remote-failure | NWFL_RemoteAccessFail | NWFL App Rule to support Informer Reports | log | assurance, audit, authentication, compliance, identity |
| NWFL_access:remote-success | NWFL_RemoteAccessSuccess | NWFL App Rule to support Informer Reports | log | assurance, audit, authentication, compliance, identity |
| NWFL_access:user-access-revoked | NWFL_UserAccessRevoke | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_account:account-disabled | NWFL_AccountDisabled | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_account:auth-success | NWFL_AuthSuccess | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_account:created | NWFL_AccountCreated | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_account:deleted | NWFL_AccountDeleted | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_account:group-management | NWFL_GroupMgmt | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_account:login-and-logout | NWFL_LoginLogout | NWFL App Rule to support Informer Reports | log | assurance, audit, authentication, compliance, identity |
| NWFL_account:logon-failure | NWFL_LoginFailure | NWFL App Rule to support Informer Reports | log | assurance, audit, authentication, compliance, identity |
| NWFL_account:logon-success | NWFL_LoginSuccess | NWFL App Rule to support Informer Reports | log | assurance, audit, authentication, compliance, identity |
| NWFL_account:logon-success-direct-access | NWFL_LoginDirectAccessSuccess | NWFL App Rule to support Informer Reports | log | assurance, audit, authentication, compliance, identity |
| NWFL_account:logout | NWFL_Logout | NWFL App Rule to support Informer Reports | log | assurance, audit, authentication, compliance, identity |
| NWFL_account:modified | NWFL_AccountModified | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_account:password-change | NWFL_PasswordChange | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_account:user-accessing-file-servers | NWFL_UserAccessFilesrv | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_alm:cardholder-data | NWFL_AccessCardholderData | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_alm:error-event-types | NWFL_ErrorEventTypes | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_alm:firmware-config-changes | NWFL_FirmwareConfigChange | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_alm:inbound-network-traffic | NWFL_InboundTraffic | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance, event analysis, flow analysis, operations |
| NWFL_alm:outbound-network-traffic | NWFL_OutboundTraffic | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance, event analysis, flow analysis, operations |
| NWFL_alm:system-clock-synch | NWFL_ClockSynch | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_av:signature-update | NWFL_AVSignatureUpdate | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance, risk, vulnerability management |
| NWFL_av:virus-summary | NWFL_AVSummary | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_config:change-audit-setting | NWFL_AuditSettingChange | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_config:config-changes | NWFL_ConfigChanges | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_config:fw-config-changes | NWFL_FirewallConfigChange | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_config:router-change | NWFL_RouterConfigChange | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_encryption:failures | NWFL_EncryptFailures | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_encryption:key-gen-and-changes | NWFL_EncryptKeyGenChanges | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_encryption:success | NWFL_EncryptSuccess | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_fw:categories | NWFL_FirewallRuleCat | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_fw:inbound-network-traffic | NWFL_FWInboundTraffic | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance, event analysis, flow analysis, operations |
| NWFL_fw:outbound-network-traffic | NWFL_FWOutboundTraffic | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance, event analysis, flow analysis, operations |
| NWFL_fw:url-block | NWFL_URLBlock | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_fw:url-filetypes | NWFL_URLFiletypes | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance, event analysis, file analysis, operations |
| NWFL_host:windows:account-disabled | NWFL_WinAcctDisabled | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_host:windows:file-access | NWFL_WinFileAccess | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_host:windows:local-group-account-changes | NWFL_WinLocalGrpChange | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_host:windows:user-group-account-changes | NWFL_WinUsrGroupChange | NWFL App Rule to support Informer Reports | log | assurance, audit, authorization, compliance, identity |
| NWFL_intrusion:all-activity | NWFL_IntrusionAllActivity | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_ops:mailserver-errors | NWFL_MailserverErrors | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| NWFL_wireless:AdminOperations | NWFL_WirelessAdminOps | NWFL App Rule to support Informer Reports | log | assurance, audit, compliance |
| Only ACK Flag Set in Session Containing Payload | nw30005 | Alerts when sessions containing payload have only ACK flag set. | packet | event analysis, operations, protocol analysis |
| Outbound MS Outlook PFF file | nw110085 | Detects outbound MS Outlook PFFs (Personal Folder Files). It does not differentiate between type of PFF (e.g.: .pst, .ost, .pab).NOTE: This depends on the Lua parser - fingerprint_pff.lua - for detecting PFF filetype. This parser needs to be enabled in order for this rule to work. | log, packet | action on objectives, attack phase, data exfiltration, threat |
| Outbound Session Greater Than 1GB | outbound_session_greater_than_1gb | Detects and generates meta after a session with a high percentage of payload transmitted outbound reaches 1GB, 2GB and 3GB. VERSIONS SUPPORTED * 10.5 and higher CONFIGURATION By default, the Decoders capture buffer size is 32MB. If you have modified this setting, then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the NetWitness Suite UI > Administration > Services > Explore > decoder > config > capture.buffer.size. DEPENDENCIES Lua Parsers: * traffic_flow * session_analysis GENERATED META KEYS * boc = outbound session greater than 1gb | packet | action on objectives, attack phase, data exfiltration, threat |
| Outbound Session Greater Than 500MB | outbound_session_greater_than_500mb | Detects and generates meta after a session with a high percentage of payload transmitted outbound reaches 500MB. VERSIONS SUPPORTED * 10.5 and higher CONFIGURATION By default, the Decoders capture buffer size is 32MB. If you have modified this setting, then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the NetWitness Suite UI > Administration > Services > Explore > decoder > config > capture.buffer.size. DEPENDENCIES Lua Parsers: * traffic_flow * session_analysis GENERATED META KEYS * boc = outbound session greater than 500mb | packet | action on objectives, attack phase, data exfiltration, threat |
| Pass the Hash | pass_the_hash | Indicates a possible pass-the-hash attack on a Windows system configured to use the NTLM authentication protocol. The rule reduces false positives by excluding anonymous logons, domain controller and machine logons and those that are not local accounts. It is recommended to exclude the domain for which the domain controller is responsible within the rule logic, since an attacker would typically not have this information and it could increase rule accuracy. CONFIGURATION Customize this rule to exclude your domain from matching. To do this, modify the expression within the rule, domain.all != 'yourdomain.com'. Replace 'yourdomain.com' with the domain(s) you wish to exclude. DEPENDENCIES Log Parsers: * At least one of the Windows log device parsers Feeds: * Investigation GENERATED META KEYS * ioc = pass the hash * inv.category = identity, threat * inv.context = attack phase, action on objectives, authentication, lateral movement | log | action on objectives, attack phase, authentication, identity, lateral movement, threat |
| Passwords over FTP | nw120010 | Identifies plaintext FTP logins | packet | assurance, audit, compliance, corporate, organizational hazard |
| Passwords over HTTP | nw120005 | Identifies plaintext HTTP logins | packet | assurance, audit, compliance, corporate, organizational hazard, risk |
| Passwords Over Other Protocols | nw120030 | Identifies plaintext logins with an unidentified service type. | packet | assurance, audit, compliance, corporate, organizational hazard |
| Passwords Over Pop3 | nw120020 | Identifies plaintext pop3 logins | packet | assurance, audit, compliance, corporate, organizational hazard |
| Passwords Over SMTP | nw120025 | Identifies plaintext SMTP logins | packet | assurance, audit, compliance, corporate, organizational hazard |
| Passwords Over Telnet | nw120015 | Identifies plaintext telnet logins | packet | assurance, audit, compliance, corporate, organizational hazard |
| php botnet beaconing w | nw02635 | detects botnet beaconing with w=188 in the query string. | packet | attack phase, command and control, threat |
| php ini checkin | nw02645 | Detects botnet traffic that uses PHP and .ini files for checkin traffic. | log, packet | attack phase, command and control, threat |
| php put to wordpress plugin dir | nw02580 | Detects PHP puts to WordPress plugin directoires. This behavior has been observed by RSA-FirstWatch as potential malware traffic. | log, packet | attack phase, command and control, threat |
| php put with 40x error | nw02575 | Detects PHP puts that create 4 series errors. This may indicate suspicoius or botnet check-in traffic. | packet | attack phase, command and control, threat |
| Proxy Anonymous Services | nw110065 | Detects use of common proxy services using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required. | log, packet | assurance, compliance, corporate, organizational hazard, risk |
| Proxy Client Download | nw110070 | Detects proxy client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required. | log, packet | application analysis, assurance, compliance, corporate, event analysis, operations, organizational hazard, risk |
| qq download client | nw02615 | detects download of the QQ chinese instant messaging client. | log, packet | assurance, organizational hazard, risk |
| RDP over Non-Standard Port | nw110050 | Detects an RDP session over a non-standard port. | packet | event analysis, operations, protocol analysis |
| Remote Control Client Website | nw110075 | Detects use of common remote client download sites. It uses a list of domains matched against the alias host meta key. Use of an HTTP network parser is required. | log, packet | assurance, compliance, corporate, organizational hazard, risk |
| Remote Thread into LSASS | remote_thread_into_lsass | Detects when a process creates remote thread into target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping. DEPENDENCIES Log Parsers: * At least one of the Windows log device parsers Feeds: * Investigation GENERATED META KEYS * ioc = remote thread into lsass * inv.category = identity, threat * inv.context = attack phase, action on objectives, lateral movement | log | action on objectives, attack phase, identity, lateral movement, threat |
| RIG Exploit Kit | nw22370 | RIG exploit kit is suspected in the compromise of a vulnerable website due to patterns found within the query string. DEPENDENCIES Lua Parsers: * HTTP Lua * Traffic Flow Lua Event Sources: * Web proxy and security products such as Cisco WSA and SQUID Feeds: * NetWitness GENERATED META KEYS * ioc = rig exploit kit * inv.category = threat * inv.context = attack phase, exploit, malware | log, packet | attack phase, exploit, featured, malware, threat |
| Rogue DHCP Server Detected - Packets | nw00040 | Detects web traffic involving UDP/67 or 68 that is not a legitimate DHCP server. Note: Users must add legitimate DHCP servers to the RogueDHCPServerDetected feed. | packet | assurance, organizational hazard, risk |
| SchoolBell Malware | nw22360 | The SchoolBell rule detects malware associated with ShellCrew's large scale infrastructure harvesting campaign. SchoolBell targets Windows servers running vulnerable versions of Java web containers such as JBoss and Jenkins. The associated SchoolBell rule can be used to detect the malware's callbacks from an infected host. Both the HTTP_lua and traffic_flow parsers are required. | packet | crimeware, malware, threat |
| ScribD Document Upload | nw110015 | Detects document uploads to the site ScribD. | log, packet | application analysis, assurance, compliance, corporate, event analysis, operations, organizational hazard, risk |
| Shadow IT: File Sharing Apps | nw110150 | Detects file sharing application usage for Box, Dropbox, Github and iCloud for potential shadow IT use. | log, packet | application analysis, assurance, audit, compliance, event analysis, operations, organizational hazard, risk |
| Shadow IT: Voice Chat Apps | nw30050 | Detects some voice and chat applications (e.g. Vonage, VOIPStudio, tinychat, and Yahoo Messenger) usage for potential shadow IT use. | log, packet | application analysis, assurance, audit, compliance, event analysis, operations, organizational hazard, risk |
| Small Executable | nw20110 | Forensic executable detection with a small session size. | packet | event analysis, file analysis, operations |
| Small Executable Extension Mismatch | nw20095 | Indicates a forensic executable detection with a file extension that is not .exe. | packet | attack phase, delivery, event analysis, file analysis, operations, threat |
| Small Executable No Directory | nw20100 | Indicates a forensic executable detection with no corresponding directory information. | packet | attack phase, delivery, event analysis, file analysis, operations, threat |
| Small Executable No Host | nw20090 | Indicates a forensic executable detection with a small session size and no corresponding alias.host information. | packet | attack phase, delivery, event analysis, file analysis, operations, threat |
| Small Executable Root Directory | nw20105 | Forensic executable detection from the root directory of a host. | packet | attack phase, delivery, event analysis, file analysis, operations, threat |
| Spectrum Consume 1.1 App Rule | spectrum_consume11 | Application rule required for office document/pdf consumption | packet | malware analysis, spectrum |
| spectrum_consume.nwr | spectrum_consume | Helper Rule for Spectrum | packet | malware analysis, spectrum |
| ssh to external | ssh_internal_to_external | Detects when an internal IP address initiates an SSH connection to an external IP address.An SSH connection is identified by the following service=22. An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external. | packet | event analysis, operations, protocol analysis |
| Stealth Email Use | nw110105 | Detects a user sign-up or sign-in event for the following stealth mail services: Stealth Email: Referer of either http://www.spytech-web.com/stealth-email-buy.shtml or http://www.stealth-email.com:2095/login/ or http://stealth-email.com/, Hush Mail: Any traffic with an IP destination of 65.39.178.58 or organization destination of "Peer 1 Network (USA)", Neomailbox: Any traffic to alias host www.neomailbox.com, Cryptoheaven: Any traffic to alias host www.cryptoheaven.com, S-mail: Any traffic to alias host mail.s-mail.com | log, packet | assurance, compliance, corporate, organizational hazard, risk |
| Stealth Email Use Large Session | nw110095 | Detects a session larger than 1 MB to the following stealth mail services: Stealth Email: Alias host www.stealth-email.com, Hush Mail: With an IP destination of 65.39.178.58 or organization destination of "Peer 1 Network (USA)", Neomailbox: Alias host www.neomailbox.com, Cryptoheaven: Alias host www.cryptoheaven.com, S-mail: Alias host mail.s-mail.com | packet | assurance, compliance, corporate, organizational hazard, risk |
| strings decode download | nw02565 | Detects malware that uses "strings.txt" for command and control instructions | log, packet | attack phase, command and control, threat |
| suspicious long filename get request | nw02625 | Detects get requests that include extremely long flienames, which is often a tactic used malware to encode information. | packet | attack phase, command and control, threat |
| suspicious php put long query | nw02585 | Detects puts to PHP pages that include extremly long query strings. This behavior is often indicative of botnet or malware encoded check-in traffic | log, packet | attack phase, command and control, threat |
| suspicious PHP url-encoded put | nw02620 | Detects PHP Puts that included URL-encoded data | packet | attack phase, command and control, threat |
| Taidoor Malware | nw22335 | Detects malicious outbound traffic between Malware Taidoor and command and control server. Either the HTTP_lua or HTTP native parser and traffic_flow parser is required. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/thread/185493 | packet | malware, threat, remote access trojans |
| tdss_rootkit_variant_beaconing | app000002 | Detects the beaconing activity of the TDSS Rootkit botnet. | log, packet | attack phase, command and control, malware, remote access trojans, threat |
| Tendrit Malware | nw22320 | Detects malicious outbound traffic between backdoor/malware Tendrit variants and command and control server. Either the HTTP_lua or HTTP native parser is required. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/05/09/detecting-tendrit-variants-using-security-analytics | packet | malware, threat, remote access trojans |
| Tor Outbound | nw00035 | Detects an encrypted network sessions as well as log sessions to an external (non RFC-1918) IP destination that shows at least one indicator of using the Tor protocol for anonymous data access. The possible indicators of Tor are: Communication over a common Tor destination port of 9001, 9030, 9101, 9003, 9050, 9051 or communication with a known Tor tunnel node. DEPENDENCIES Packets: Lua Parsers: * traffic_flow * TLS_lua Feeds: * Tor Exit Nodes * Investigation Logs: Lua Parsers: * traffic_flow Feeds: * Tor Exit Nodes * Investigation Log Parsers: * Atleast one parser with device.class='Firewall' or device.type='rsaflow' GENERATED META KEYS * analysis.session= tunneling outbound tor * inv.category = assurance * inv.context = compliance, corporate, organizational hazard, risk | log, packet | assurance, compliance, corporate, organizational hazard, risk |
| Torrent File Download | nw70010 | Detects the download of a .torrent file. | log, packet | assurance, compliance, corporate, event analysis, file analysis, operations |
| Trojan BLT | nw22300 | Detects malicious outbound traffic due to installation of Trojan BLT variants. Either the HTTP_lua or HTTP native parser is required. Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/12/04/detecting-trojanblt-variants-using-security-analytics | packet | malware, threat, remote access trojans |
| tsone dorkbot beaconing | app000003 | Detects hosts infected with the TSONE Dorkbot. | packet | attack phase, command and control, malware, remote access trojans, threat |
| Unknown Service Over DNS Port | nw60115 | Detects an unidentified service over a port typically used for dns traffic. | packet | event analysis, operations, protocol analysis |
| Unknown Service Over FTP Port | nw60120 | Detects an unidentified service over a port typically used for ftp traffic. | packet | event analysis, operations, protocol analysis |
| Unknown Service Over HTTP Port | nw60125 | Detects an unidentified service over a port typically used for http traffic. | packet | event analysis, operations, protocol analysis |
| Unknown Service Over IRC Port | nw60145 | Detects an unidentified service over a port typically used for irc traffic. | packet | event analysis, operations, protocol analysis |
| Unknown Service Over NNTP Port | nw60150 | Detects an unidentified service over a port typically used for nntp traffic. | packet | event analysis, operations, protocol analysis |
| Unknown Service Over POP3 Port | nw60140 | Detects an unidentified service over a port typically used for pop3 traffic. | packet | event analysis, operations, protocol analysis |
| Unknown Service Over SMB Port | nw60155 | Detects an unidentified service over a port typically used for smb traffic. | packet | event analysis, operations, protocol analysis |
| Unknown Service Over SMTP Port | nw60135 | Detects an unidentified service over a port typically used for smtp traffic. | packet | event analysis, operations, protocol analysis |
| Unknown Service Over SSL Port | nw60165 | Detects an unidentified service over a port typically used for ssl traffic. | packet | event analysis, operations, protocol analysis |
| Unknown Service Over Telnet Port | nw60130 | Detects an unidentified service over a port typically used for telnet traffic. | packet | event analysis, operations, protocol analysis |
| Unusual Port Utilized by Domain Controller | nw00045 | Detects a domain controller or directory server engaged in port activity that is outside the expected ports.For Active Directory port requirements, see the following Microsoft Windows Server article: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx.Note: This rule must be modified to include the IP address of the local Domain Controller or Directory Server. | packet | assurance, event analysis, operations, organizational hazard, protocol analysis, risk |
| Web Access: Pastebin | nw110040 | Detects the existence of "pastebin.com or post.php" in a URL string. Pastebin is a very common site for quickly distributing sensitive data, posting and retrieving malicious and benign code snippets, and is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns as well as focused attacks against servers hosting the data. | log, packet | assurance, compliance, corporate |
| Web Access: Rghost | nw110035 | Detects the existence of "rghost.net" in a URL string.Rghost is a very common site for quickly distributing sensitive data and posting and retrieving malicious ( as well as benign) code snippets.It is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns, as well as focused attacks against servers hosting the data.Additionally, it is a large online repository for searchable malware executables | log, packet | assurance, compliance, corporate |
| Windows Credential Harvesting Services | nw05415 | This rule applies to windows services being installed that are known to be used for pass the hash and brute force attacks. These may include psexec, wce, pwdump, cachedump, gsecdump. | log | action on objectives, assurance, attack phase, lateral movement, organizational hazard, risk, threat |
| Windows NTLM Network Logon Successful | nw30060 | Indicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol. The rule reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $. It is recommended to exclude the domain that the Domain Controller is responsible within the rule logic. | log | action on objectives, attack phase, authentication, identity, lateral movement, threat |
Previous Topic:Rules
Next Topic:RSA ESA Rules
You are here
Table of Contents > RSA NetWitness Platform Content > Rules > RSA Application Rules