Hunting Pack

Document created by RSA Information Design and Development on May 11, 2018Last modified by RSA Information Design and Development on Jul 18, 2018
Version 8Show Document
  • View in full screen mode
 

The Hunting Pack is a set of content that derives indicators of compromise and anomalous events. Deploying this bundle will download all of the content and content dependencies of the Hunting Pack including the associated feed, Lua parsers and reports.

For more details about the suggested investigation techniques refer the RSA NetWitness Hunting Guide

  • ESA Rule: Webshell Detected
  • Application Rule: exe filetype but not exe extension
  • Feeds: Investigation Feed and RSA FirstWatch SSL Blacklist
  • Lua parsers:

    • CustomTCP
    • JSON-RPC
    • MSU_rat
    • apt_artifacts
    • china_chopper
    • dns_verbose
    • dyndns
    • fingerprint_java
    • fingerprint_rtf
    • http
    • icmp
    • idn_homograph
    • mail
    • plugx
    • poison_ivy
    • pvid
    • rdp
    • rekaf
    • session_analysis
    • smb
    • struts_exploit
    • supercmd
    • tld
    • tls
    • traffic_flow
    • windows_command_shell
    • windows_executable
    • xor_executable
  • Reports:

    • Hunting Detail
    • Hunting Summary
    • Malware Activity Report
You are here
Table of Contents > RSA NetWitness Platform Content > Bundles > Hunting Pack

Attachments

    Outcomes