RSA NetWitness Endpoint Hunting

Document created by Connor Mccarthy Employee on Oct 24, 2017Last modified by Joseph Cantor on Nov 6, 2019
Version 10Show Document
  • View in full screen mode

Access Training



In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us



This on-demand learning presents adaptive techniques for security teams proactively seeking to detect, understand, and disrupt coordinated intrusions with RSA NetWitness Endpoint.



This self-paced on-demand learning presents techniques prescribed by security analysts for employing RSA NetWitness Endpoint to locate sophisticated targeted attacks. Finding known malware and obviously malicious behavior is easy with this tool’s Instant Indicators of Compromise, but sophisticated intrusions can be far more challenging. Indicators of specific exploits and threats, such as common keylogging techniques, are detailed.


Security analysts using RSA NetWitness Endpoint to locate suspicious files, processes, and activity on an organization’s endpoint computers.

Delivery Type
On-Demand Learning (self-paced eLearning)

2 hours


Prerequisite Knowledge/Skills

Students should have completed the RSA NetWitness Endpoint Fundamentals prior to viewing this course. Experienced analysis with at least six month of real-world security analysis with NetWitness Endpoint is recommended.


Learning Objectives

Upon successful completion of this course, participants should be able to:

  • Request a scan and interpret the results
  • Perform file analysis without alerting adversaries
  • Evaluate threats based on frequency of file occurrence
  • Customize an Instant Indicator of Compromise
  • Create a custom Yara rule to adapt hunting technique to latest indicators
  • Use behavior filters to identify new threats
  • Review key Instant Indicators of Compromise
  • Obtain and analyze MFT file from endpoint system

Establish timeline based on most trusted timestamps


Course Outline

  • Overview
    • Why Hunt?
    • RSA NetWitness Endpoint Architecture
    • Endpoint Threat Detection
    • Daily Analyst Responsibilities
  • Functionality
    • Instant Indicators of Compromise
    • Understanding Key IIOCs
      1. Hidden Modules and Floating Code
      2. Reserved Locations and EXE Execution
      3. Unsigned Modules and Other Characteristics
    • Scans
    • Yara Pattern Matching
  • The Cyber Kill Chain
    • Timeline of Typical Attack
    • Detecting Entrenchment
    • Detecting Lateral Movement
    • Detecting Data Exfiltration
  • File Analysis
    • Downloading a Module from Endpoint
    • A Secure File Analysis Environment
    • File Analysis Within NetWitness Endpoint
    • Other Analysis Options
  • Hunting Techniques
    • Hunting with IIOCs
      1. Webshells Example
      2. Scan Data Example
    • Custom IIOC Creation
    • Hunting with Global Modules Window
    • Custom Yara Rule Creation
  • Forensics
  • NTFS Timestamps
  • MFT Analysis
    1. Obtaining the Endpoint MFT
  • Global File Retrieval
  • Specialized Hunting Techniques
  • Direct Database Queries



Access Training



In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us