RSA NetWitness Investigation Meta

This table lists all of the delivered RSA NetWitness Investigation meta.

Meta Key

Details

analysis.file: autorun
Registered by: autorun.nwr
analysis.file: autorun debian package mismatch
Registered by: autorun_debian_package_mismatch.nwr
analysis.file: autorun file path not part of debian package
Registered by: autorun_file_path_not_part_of_debian_package.nwr
analysis.file: autorun file path not part of rpm
Registered by: autorun_file_path_not_part_of_rpm.nwr
analysis.file: autorun invalid signature windows directory
Registered by: autorun_invalid_signature_windows_directory.nwr
analysis.file: autorun rpm mismatch
Registered by: autorun_rpm_mismatch.nwr
analysis.file: autorun unsigned active setup
Registered by: autorun_unsigned_active_setup.nwr
analysis.file: autorun unsigned appinit_dlls
Registered by: autorun_unsigned_appinit_dlls.nwr
analysis.file: autorun unsigned bho
Registered by: autorun_unsigned_bho.nwr
analysis.file: autorun unsigned bootexecute registry startup method
Registered by: autorun_unsigned_bootexecute_registry_startup_method.nwr
analysis.file: autorun unsigned explorer registry startup method
Registered by: autorun_unsigned_explorer_registry_startup_method.nwr
analysis.file: autorun unsigned hidden
Registered by: autorun_unsigned_hidden.nwr
analysis.file: autorun unsigned hidden only executable in directory
Registered by: autorun_unsigned_hidden_only_executable_in_directory.nwr
analysis.file: autorun unsigned ie toolbar
Registered by: autorun_unsigned_ie_toolbar.nwr
analysis.file: autorun unsigned in appdatalocal directory
Registered by: autorun_unsigned_in_appdatalocal_directory.nwr
analysis.file: autorun unsigned in appdataroaming directory
Registered by: autorun_unsigned_in_appdataroaming_directory.nwr
analysis.file: autorun unsigned in programdata directory
Registered by: autorun_unsigned_in_programdata_directory.nwr
analysis.file: autorun unsigned in temp directory
Registered by: autorun_unsigned_in_temp_directory.nwr
analysis.file: autorun unsigned logontype registry startup method
Registered by: autorun_unsigned_logontype_registry_startup_method.nwr
analysis.file: autorun unsigned lsa provider
Registered by: autorun_unsigned_lsa_provider.nwr
analysis.file: autorun unsigned servicedll
Registered by: autorun_unsigned_servicedll.nwr
analysis.file: autorun unsigned winsock lsp
Registered by: autorun_unsigned_winsock_lsp.nwr
analysis.file: blacklisted file
Registered by: blacklisted_file.nwr
analysis.file: certificate file invalid
Registered by: fingerprint_certificate
Description: A .crt file base64 encoding does not decode to an X509 certificate.
analysis.file: debian package hash mismatch
Registered by: debian_package_hash_mismatch.nwr
analysis.file: debian package hash mismatch in important system directory
Registered by: debian_package_hash_mismatch_in_important_system_directory.nwr
analysis.file: exe extension but not exe filetype
Registered by: windows_executable
analysis.file: exe filetype
Registered by: windows_executable
analysis.file: exe filetype but not exe extension
Registered by: exe_filetype_but_not_exe_extension.nwr
analysis.file: exe recently compiled
Registered by: windows_executable
analysis.file: exe under 10k
Registered by: windows_executable
analysis.file: exe under 5k
Registered by: windows_executable
analysis.file: exe under 75k
Registered by: windows_executable
analysis.file: executable in ads
Registered by: executable_in_ads.nwr
analysis.file: file encrypted
Registered by: file_encrypted.nwr
analysis.file: file hidden
Registered by: file_hidden.nwr
analysis.file: file path not part of debian package
Registered by: file_path_not_part_of_debian_package.nwr
analysis.file: file path not part of debian package in important system directory
Registered by: file_path_not_part_of_debian_package_in_important_system_directory.nwr
analysis.file: file path not part of rpm
Registered by: file_path_not_part_of_rpm.nwr
analysis.file: file path not part of rpm in important system directory
Registered by: file_path_not_part_of_rpm_in_important_system_directory.nwr
analysis.file: floating module
Registered by: floating_module.nwr
analysis.file: floating module and hooking
Registered by: floating_module_and_hooking.nwr
analysis.file: floating module in browser process
Registered by: floating_module_in_browser_process.nwr
analysis.file: floating module in os process
Registered by: floating_module_in_os_process.nwr
analysis.file: gina replacement
Registered by: gina_replacement.nwr
analysis.file: graylisted file
Registered by: graylisted_file.nwr
analysis.file: hidden in appdata
Registered by: hidden_in_appdata.nwr
analysis.file: hidden plist and autorun
Registered by: hidden_plist_and_autorun.nwr
analysis.file: hooks audio output function
Registered by: hooks_audio_output_function.nwr
analysis.file: hooks authentication function
Registered by: hooks_authentication_function.nwr
analysis.file: hooks crypto function
Registered by: hooks_crypto_function.nwr
analysis.file: hooks dnsquery function
Registered by: hooks_dnsquery_function.nwr
analysis.file: hooks gui function
Registered by: hooks_gui_function.nwr
analysis.file: hooks network http function
Registered by: hooks_network_http_function.nwr
analysis.file: hooks network io function
Registered by: hooks_network_io_function.nwr
analysis.file: hooks ntldr function
Registered by: hooks_ntldr_function.nwr
analysis.file: hooks registry access function
Registered by: hooks_registry_access_function.nwr
analysis.file: hooks registry enumeration function
Registered by: hooks_registry_enumeration_function.nwr
analysis.file: in appdata directory
Registered by: in_appdata_directory.nwr
analysis.file: in hidden directory
Registered by: in_hidden_directory.nwr
analysis.file: in recycle bin directory
Registered by: in_recycle_bin_directory.nwr
analysis.file: in root of appdatalocal directory
Registered by: in_root_of_appdatalocal_directory.nwr
analysis.file: in root of appdataroaming directory
Registered by: in_root_of_appdataroaming_directory.nwr
analysis.file: in root of program directory
Registered by: in_root_of_program_directory.nwr
analysis.file: in system volume information directory
Registered by: in_system_volume_information_directory.nwr
analysis.file: in temporary directory
Registered by: in_temporary_directory.nwr
analysis.file: in uncommon directory
Registered by: in_uncommon_directory.nwr
analysis.file: invalid signature
Registered by: invalid_signature.nwr
analysis.file: ld preload
Registered by: ld_preload.nwr
analysis.file: library preferences directory
Registered by: library_preferences_directory.nwr
analysis.file: malformed gif header
Registered by: fingerprint_gif_lua
analysis.file: misleading file extension
Registered by: misleading_file_extension.nwr
analysis.file: one two filename java class
Registered by: fingerprint_java
analysis.file: packed
Registered by: packed.nwr
analysis.file: packed and autorun
Registered by: packed_and_autorun.nwr
analysis.file: packed and network access
Registered by: packed_and_network_access.nwr
analysis.file: pdf deflating embedded file
Registered by: fingerprint_pdf_lua
analysis.file: pdf inconsistent xref size
Registered by: fingerprint_pdf_lua
analysis.file: pdf single page
Registered by: fingerprint_pdf_lua
analysis.file: pdf stream ascii85 encoded
Registered by: fingerprint_pdf_lua
analysis.file: pdf stream ccittfax encoded
Registered by: fingerprint_pdf_lua
analysis.file: pdf stream crypt encoded
Registered by: fingerprint_pdf_lua
analysis.file: pdf stream hex encoded
Registered by: fingerprint_pdf_lua
analysis.file: pdf stream lwz encoded
Registered by: fingerprint_pdf_lua
analysis.file: pdf stream runlength encoded
Registered by: fingerprint_pdf_lua
analysis.file: pdf with additional actions
Registered by: fingerprint_pdf_lua
analysis.file: pdf with launch action
Registered by: fingerprint_pdf_lua
analysis.file: pdf with names
Registered by: fingerprint_pdf_lua
analysis.file: pdf with nested filters
Registered by: fingerprint_pdf_lua
analysis.file: pdf with obfuscated objects
Registered by: fingerprint_pdf_lua
analysis.file: pdf with open action
Registered by: fingerprint_pdf_lua
analysis.file: pdf with url
Registered by: fingerprint_pdf_lua
Description: pdf contains an embedded url
analysis.file: pdf with xfa
Registered by: fingerprint_pdf_lua
analysis.file: potential embedded swf in pdf
Registered by: fingerprint_flash
analysis.file: powershell double base64
Registered by: powershell_double_base64.nwr
analysis.file: process authorized in firewall
Registered by: process_authorized_in_firewall.nwr
analysis.file: queries cached kerberos tickets
Registered by: queries_cached_kerberos_tickets.nwr
analysis.file: rar file encrypted
Registered by: fingerprint_rar_lua
analysis.file: rar file password protected
Registered by: fingerprint_rar_lua
analysis.file: rpm hash mismatch
Registered by: rpm_hash_mismatch.nwr
analysis.file: rpm hash mismatch in important system directory
Registered by: rpm_hash_mismatch_in_important_system_directory.nwr
analysis.file: rtf invalid magic number
Registered by: fingerprint_rtf_lua
Description: rtf file with a malformed magic number
Reason: possible attempt to avoid detection
analysis.file: runs blacklisted file
Registered by: runs_blacklisted_file.nwr
analysis.file: runs chmod
Registered by: runs_chmod.nwr
analysis.file: runs curl
Registered by: runs_curl.nwr
analysis.file: runs ditto
Registered by: runs_ditto.nwr
analysis.file: runs graylisted file
Registered by: runs_graylisted_file.nwr
analysis.file: runs ifconfig
Registered by: runs_ifconfig.nwr
analysis.file: runs kextload
Registered by: runs_kextload.nwr
analysis.file: runs kextstat
Registered by: runs_kextstat.nwr
analysis.file: runs launchctl
Registered by: runs_launchctl.nwr
analysis.file: runs netstat
Registered by: runs_netstat.nwr
analysis.file: runs ping
Registered by: runs_ping.nwr
analysis.file: runs ps
Registered by: runs_ps.nwr
analysis.file: runs sh
Registered by: runs_sh.nwr
analysis.file: runs tar
Registered by: runs_tar.nwr
analysis.file: runs unzip
Registered by: runs_unzip.nwr
analysis.file: services in programdata directory
Registered by: services_in_programdata_directory.nwr
analysis.file: small java class
Registered by: fingerprint_java
analysis.file: small java jar
Registered by: fingerprint_java
analysis.file: suspicious chm
Registered by: fingerprint_chm_lua
analysis.file: suspicious regsvr32.exe task
Registered by: suspicious_regsvr32.exe_task.nwr
analysis.file: suspicious rtf
Registered by: fingerprint_rtf_lua
analysis.file: tasks in programdata directory
Registered by: tasks_in_programdata_directory.nwr
analysis.file: uncommon bmp format
Registered by: fingerprint_bmp
analysis.file: unexpected explorer.exe destination location
Registered by: unexpected_explorer.exe_destination_location.nwr
analysis.file: unexpected explorer.exe source location
Registered by: unexpected_explorer.exe_source_location.nwr
analysis.file: unexpected os process destination location
Registered by: unexpected_os_process_destination_location.nwr
analysis.file: unexpected os process source location
Registered by: unexpected_os_process_source_location.nwr
analysis.file: unsigned library in suspicious daemon
Registered by: unsigned_library_in_suspicious_daemon.nwr
analysis.file: uses libnss
Registered by: uses_libnss.nwr
analysis.file: uses libpcap
Registered by: uses_libpcap.nwr
analysis.file: writes blacklisted file
Registered by: writes_blacklisted_file.nwr
analysis.file: writes graylisted file
Registered by: writes_graylisted_file.nwr
analysis.file: zip file encrypted
Registered by: fingerprint_zip
analysis.file: zip file language encoded
Registered by: fingerprint_zip
analysis.file: zip file obfuscated
Registered by: fingerprint_zip
analysis.file: zipped chm
Registered by: fingerprint_zip
analysis.file: zipped hta
Registered by: fingerprint_zip
analysis.file: zipped wsf
Registered by: fingerprint_zip
analysis.service: Invalid SMB command
Registered by: SMB_lua
analysis.service: Microsoft BITS
Registered by: HTTP_lua
analysis.service: Microsoft RPC over HTTP
Registered by: HTTP_lua
analysis.service: Microsoft SCCM
Registered by: HTTP_lua
analysis.service: Qualys Scan
Registered by: HTTP_lua
analysis.service: RDP connection speed
Registered by: RDP_lua
analysis.service: SMB session on non-SMB port
Registered by: SMB_lua
analysis.service: SSL 2.0
Registered by: TLS_lua
analysis.service: SSL 3.0
Registered by: TLS_lua
analysis.service: SSL certificate chain incomplete
Registered by: fingerprint_certificate
Description: A single certificate in a chain for which the Issuer and Subject are not the same.
analysis.service: SSL certificate missing Issuer Organizational Name
Registered by: fingerprint_certificate
Description: Issuer section of a certificate does not have an ON attribute.
analysis.service: SSL certificate missing Subject Organizational Name
Registered by: fingerprint_certificate
Description: Subject section of a certificate does not have an ON attribute.
analysis.service: SSL certificate no issuer
Registered by: fingerprint_certificate
Description: Issuer section of a certificate does has neither an ON nor a CN attribute.
analysis.service: SSL certificate no subject
Registered by: fingerprint_certificate
Description: Subject section of a certificate has neither an ON nor a CN attribute.
analysis.service: SSL certificate self-signed
Registered by: fingerprint_certificate
Description: A single certificate for which the Issuer and Subject are the same.
analysis.service: anomalous dns message
Registered by: DNS_verbose_lua
Description: DNS session contains several anomalies.
Reason: Malformed DNS message, possibly indicative of covert communication or attempt to influence client or server behavior.
analysis.service: anomalous or non-dns session on dns port
Registered by: DNS_verbose_lua
Description: Non-DNS session using port 53
Reason: Suspicious session attempting to masquerade as DNS.
analysis.service: base64 email attachment
Registered by: MAIL_lua
Description: email message contains base64 encoded attachment
Reason: Filter for email. Most email attachments are base64
analysis.service: certificate anomalous expiration date
Registered by: fingerprint_certificate
Description: Certificate expiration date is malformed, nonsensical, or invalid.
Reason: Invalid or malformed certificates are suspicious.
analysis.service: certificate anomalous issued date
Registered by: fingerprint_certificate
Description: Certificate issued date is malformed, nonsensical, or invalid.
Reason: Invalid or malformed certificates are suspicious.
analysis.service: certificate domain validation
Registered by: fingerprint_certificate
Description: CA has validated that the applicant owns or controls the domain in question, but has not otherwise validated their identity.
analysis.service: certificate expired
Registered by: fingerprint_certificate
Description: Certificate was expired when presented.
Reason: Expired certificates are invalid and won't be presented by a legitimate host.
analysis.service: certificate expired within last week
Registered by: fingerprint_certificate
Description: Certificate was expired by less than a week when presented.
Reason: Expired certificates are not expected to be presented by a legitimate host.
analysis.service: certificate extended validation
Registered by: fingerprint_certificate
Description: CA has validated the identity of the applicant to the level defined by the Extended Validation Guidelines from the CA.
analysis.service: certificate individual validation
Registered by: fingerprint_certificate
Description: CA has validated the identity of the applicant individual to a level of rigour below that defined by the Extended Validation Guidelines.
analysis.service: certificate issued within last day
Registered by: fingerprint_certificate
Description: Certificate was presented less than a day since issued.
Reason: New certificates may be suspicious in combination with other characteristics of the session.
analysis.service: certificate issued within last month
Registered by: fingerprint_certificate
Description: Certificate was presented less than a month since issued.
Reason: New certificates may be suspicious in combination with other characteristics of the session.
analysis.service: certificate issued within last week
Registered by: fingerprint_certificate
Description: Certificate was presented less than a week since issued.
Reason: New certificates may be suspicious in combination with other characteristics of the session.
analysis.service: certificate long expiration
Registered by: fingerprint_certificate
Description: Certifate expires more than two years since issued.
Reason: Certificate validity is usually capped at two years. Longer-lived certificates may be suspicious.
analysis.service: certificate organization validation
Registered by: fingerprint_certificate
Description: CA has validated the identity of the applicant organization to a level of rigour below that defined by the Extended Validation Guidelines.
analysis.service: chunked encoding with content length
Registered by: HTTP_lua
Description: Content encoding 'chunked' should not specify content-length.
Reason: Indicative of request smuggling.
analysis.service: content-disposition filename contains null character
Registered by: HTTP_lua
analysis.service: direct to ip one char php
Registered by: HTTP_lua
analysis.service: dns base36 txt record
Registered by: DNS_verbose_lua
Description: TXT record consists of only alphanumeric with no spaces, punctuation, etc.
Reason: TXT records commonly contain at lesat some whitespace or puncuation. Possibly used for covert communications.
analysis.service: dns base64 txt record
Registered by: DNS_verbose_lua
Description: TXT record appears to be base64 encoded.
Reason: Possibly indicative of covert communications such as tunnelling, command and control, etc.
analysis.service: dns experimental record type
Registered by: DNS_verbose_lua
Description: Record type that should not be seen in a normal dns query or response.
Reason: Possibly indicative of covert communication.
analysis.service: dns extremely large number of answers
Registered by: DNS_verbose_lua
Description: A name resolved to a large number of addresses.
Reason: Possibly indicative of fast-flux.
analysis.service: dns extremely low auth ttl
Registered by: DNS_verbose_lua
Description: An NS record has a very low TTL.
Reason: Possibly indicative of fast-flux.
analysis.service: dns extremely low ttl
Registered by: DNS_verbose_lua
Description: A resource record has a very low TTL.
Reason: Possibly indicative of fast-flux.
analysis.service: dns invalid a record
Registered by: DNS_verbose_lua
Description: dns 'a' record that is not a valid IPv4 address
Reason: Malformed DNS message, possibly indicative of covert communication or attempt to influence server behavior.
analysis.service: dns invalid aaaa record
Registered by: DNS_verbose_lua
Description: dns 'aaaa' record that is not a valid IPv6 address
Reason: Malformed DNS message, possibly indicative of covert communication or attempt to influence server behavior.
analysis.service: dns invalid edns version
Registered by: DNS_verbose_lua
Description: DNS EDNS version must be 0.
Reason: Malformed DNS message, possibly indicative of covert communication or attempt to influence server behavior.
analysis.service: dns invalid error code
Registered by: DNS_verbose_lua
Description: DNS error code contained an invalid value.
Reason: Possibly indicative of covert communication.
analysis.service: dns invalid option code
Registered by: DNS_verbose_lua
Description: DNS EDNS option type not valid.
Reason: Malformed DNS message, possibly indicative of covert communication or attempt to influence server behavior.
analysis.service: dns invalid query type
Registered by: DNS_verbose_lua
Description: DNS client asked for an invalid resource type.
Reason: Malformed DNS message, possibly indicative of covert communication or attempt to influence server behavior.
analysis.service: dns large answer
Registered by: DNS_verbose_lua
Description: DNS query resolves to a very large name.
Reason: Possibly indicative of covert communications, or attempt to influence client behavior.
analysis.service: dns large number of additional records
Registered by: DNS_verbose_lua
Description: DNS response containing a large number of additional records.
Reason: Possibly indicative of fast-flux or covert communications.
analysis.service: dns large number of answers
Registered by: DNS_verbose_lua
Description: DNS response containing a large number of answer records.
Reason: Possibly indicative of fast-flux or covert communications.
analysis.service: dns large number of authority records
Registered by: DNS_verbose_lua
Description: DNS response containing a large number of authority records.
Reason: Possibly indicative of fast-flux or covert communications.
analysis.service: dns large number of queries
Registered by: DNS_verbose_lua
Description: A DNS request to resolve a large number of names.
Reason: Possibly indicative of covert communications, or attempt to influence server behavior.
analysis.service: dns long query
Registered by: DNS_verbose_lua
Description: A request to resolve a very long name.
Reason: Possibly indicative of covert communication.
analysis.service: dns low ttl
Registered by: DNS_verbose_lua
Description: A resource record has a low TTL.
Reason: Possibly indicative of fast-flux.
analysis.service: dns obscure record type
Registered by: DNS_verbose_lua
Description: Record type that should not be seen in a normal dns query or response.
Reason: Possibly indicative of covert communication.
analysis.service: dns obsolete record type
Registered by: DNS_verbose_lua
Description: Record type that should not be seen in a normal dns query or response.
Reason: Possibly indicative of covert communication.
analysis.service: dns query contains answer records
Registered by: DNS_verbose_lua
Description: DNS query contains records in the 'answer' section.
Reason: Queries should not contain answers.
analysis.service: dns query contains authority records
Registered by: DNS_verbose_lua
Description: DNS query contains records in the 'authority' section.
Reason: Queries should not contain authority records.
analysis.service: dns query for uncommon record class
Registered by: DNS_verbose_lua
Description: Client requested a record class other than 'IN'.
Reason: Possibly indicative of covert communication.
analysis.service: dns reserved record type
Registered by: DNS_verbose_lua
Description: Record type that should not be seen in a normal dns query or response.
Reason: Possibly indicative of covert communication.
analysis.service: dns single request response
Registered by: DNS_verbose_lua
Description: dns session consists of a single request and/or response
Reason: Enables focus on unique DNS sessions potentially indicating origin of infection or multiple names for the same C2 IP
analysis.service: dns unnasigned record type
Registered by: DNS_verbose_lua
Description: Record type that should not be seen in a normal dns query or response.
Reason: Possibly indicative of covert communication.
analysis.service: dns unsolicited response records
Registered by: DNS_verbose_lua
Description: A DNS response contained answers but no questions.
Reason: Common behavior is for the DNS server to include the client questions in the respose.
analysis.service: dns z reserved present
Registered by: DNS_verbose_lua
Description: DNS flags contained an invalid value.
Reason: Malformed DNS message, possibly indicative of covert communication or attempt to influence server behavior.
analysis.service: dynamic dns host
Registered by: DynDNS
analysis.service: dynamic dns http
Registered by: DynDNS
analysis.service: dynamic dns query
Registered by: DynDNS
analysis.service: dynamic dns server
Registered by: DynDNS
analysis.service: email address domain is an IP
Registered by: MAIL_lua
Description: An email address of the form 'user@1.2.3.4'
Reason: Direct to IP email addresses are unusual and suspicious.
analysis.service: email missing recipients
Registered by: MAIL_lua
Description: An email contains no 'To', 'cc', or 'bcc' recipients
Reason: Attempt to hide message recipients.
analysis.service: email recipients cc/bcc only
Registered by: MAIL_lua
Description: An email does not specify a 'To' recipient
Reason: Attempt to hide message recipients.
analysis.service: express x-mailer
Registered by: MAIL_lua
Description: Email client contains 'express'
Reason: Express Mailer is often used for phishing campaigns.
analysis.service: host header contains port
Registered by: HTTP_lua
analysis.service: hostname consecutive consonants
Registered by: TLD_lua
analysis.service: hostname invalid
Registered by: TLD_lua
analysis.service: hostname looks like ip address
Registered by: DNS_verbose_lua
Description: A FQDN contains an IPv4, e.g '1.2.3.4.com'
Reason: Possible attempt to masquerade as a trusted host.
analysis.service: href host doesn't match displayed host
Registered by: phishing_lua
Description: A link in an email displays a url inconsistent with the actual target of the link.
Reason: Attempt to trick a user into going to a possibly malicious site.
analysis.service: http 1.0 unsupported cache header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported cookie header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported etag header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported host header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported max-forwards header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported md5 header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported options method
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported proxyauth header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported proxyauthenticate header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported range header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported te header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported transferencoding header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported upgrade header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported vary header
Registered by: HTTP_lua
analysis.service: http 1.0 unsupported warning header
Registered by: HTTP_lua
analysis.service: http 200 response no data
Registered by: HTTP_lua
Description: HTTP server responded with status 200 but then sent no data.
Reason: A 200 status response almost always includes response data.
analysis.service: http connect
Registered by: HTTP_lua
analysis.service: http content header string concatenation
Registered by: HTTP_lua
analysis.service: http content-md5 overflow
Registered by: HTTP_lua
analysis.service: http contentdisposition with filename
Registered by: HTTP_lua
analysis.service: http direct to ip request
Registered by: HTTP_lua
analysis.service: http explicit proxy request
Registered by: HTTP_lua
analysis.service: http four headers
Registered by: HTTP_lua
analysis.service: http four or less headers
Registered by: HTTP_lua
analysis.service: http get no post
Registered by: HTTP_lua
analysis.service: http get no post with content-length
Registered by: HTTP_lua
analysis.service: http high header count
Registered by: HTTP_lua
analysis.service: http host header is an integer
Registered by: HTTP_lua
analysis.service: http invalid allow methods
Registered by: HTTP_lua
analysis.service: http invalid cookie
Registered by: HTTP_lua
Description: Cookie did not consist of key=value pairs.
Reason: Use of cookies for command and control.
analysis.service: http invalid transfer encoding
Registered by: HTTP_lua
analysis.service: http java
Registered by: HTTP_lua
Description: java client version 1.4-1.8
analysis.service: http large byte range
Registered by: HTTP_lua
analysis.service: http long query
Registered by: HTTP_lua
analysis.service: http long user-agent
Registered by: HTTP_lua
analysis.service: http max length user-agent
Registered by: HTTP_lua
analysis.service: http mid length user-agent
Registered by: HTTP_lua
analysis.service: http misspelled cookie
Registered by: HTTP_lua
Description: Cookie header was misspelled as 'Cookies' (plural)
Reason: Common mistake seen in malware and scripts
analysis.service: http misspelled referer
Registered by: HTTP_lua
Description: Referer header was misspelled as 'Referrer'
Reason: Common mistake seen in malware and scripts
analysis.service: http misspelled user-agent
Registered by: HTTP_lua
Description: User-Agent header was misspelled as 'UserAgent'
Reason: Common mistake seen in malware and scripts
analysis.service: http netbox server
Registered by: HTTP_lua
analysis.service: http no accept header
Registered by: HTTP_lua
analysis.service: http no connection header
Registered by: HTTP_lua
analysis.service: http no host header
Registered by: HTTP_lua
analysis.service: http no referer
Registered by: HTTP_lua
analysis.service: http no server header
Registered by: HTTP_lua
analysis.service: http no user-agent
Registered by: HTTP_lua
analysis.service: http nonstandard mozilla
Registered by: HTTP_lua
analysis.service: http not good mozilla
Registered by: HTTP_lua
analysis.service: http possible exploitkit
Registered by: HTTP_lua
analysis.service: http post and get
Registered by: HTTP_lua
analysis.service: http post missing content-length
Registered by: Form_Data_lua
analysis.service: http post missing content-type
Registered by: Form_Data_lua
analysis.service: http post no get
Registered by: HTTP_lua
analysis.service: http post no get low header count not flash
Registered by: HTTP_lua
analysis.service: http post no get missing content-length
Registered by: HTTP_lua
analysis.service: http post no get no referer
Registered by: HTTP_lua
analysis.service: http post no get no referer directtoip
Registered by: HTTP_lua
analysis.service: http post no get short filename suspicious extension
Registered by: HTTP_lua
analysis.service: http post no get short user-agent
Registered by: HTTP_lua
analysis.service: http query with base64
Registered by: HTTP_lua
analysis.service: http request path host header mismatch
Registered by: HTTP_lua
Description: The request path specified a host other than the value of the HOST: header
Reason: Indicative of domain fronting, though may be legitimate when used by CDNs
analysis.service: http request querystring contains ip address
Registered by: HTTP_lua
analysis.service: http response filename
Registered by: HTTP_lua
analysis.service: http response filename attachment
Registered by: HTTP_lua
analysis.service: http response filename bin
Registered by: HTTP_lua
analysis.service: http response filename exe
Registered by: HTTP_lua
analysis.service: http response filename inline
Registered by: HTTP_lua
analysis.service: http response status ends with space
Registered by: HTTP_lua
Description: Extraneous space character at the end of the response status line
Reason: Anomolous. Possibly indicative of nanohttpd server.
analysis.service: http server location redirect
Registered by: HTTP_lua
analysis.service: http short user-agent
Registered by: HTTP_lua
analysis.service: http short user-agent ie
Registered by: HTTP_lua
analysis.service: http single request
Registered by: HTTP_lua
Description: Only one http request in the session
analysis.service: http single response
Registered by: HTTP_lua
Description: Only one http response in the session
analysis.service: http six or less headers
Registered by: HTTP_lua
analysis.service: http ssdp
Registered by: HTTP_lua
analysis.service: http suspicious 4 headers
Registered by: HTTP_lua
analysis.service: http suspicious 6 headers
Registered by: HTTP_lua
analysis.service: http suspicious connect
Registered by: HTTP_lua
analysis.service: http suspicious no cookie
Registered by: HTTP_lua
analysis.service: http suspicious user-agent
Registered by: HTTP_lua
analysis.service: http three headers
Registered by: HTTP_lua
analysis.service: http two headers
Registered by: HTTP_lua
analysis.service: http uncommon origin schema
Registered by: HTTP_lua
Description: Origin header value doesn't begin with 'http(s)://'
Reason: Possible malicious redirect.
analysis.service: http webdav
Registered by: HTTP_lua
analysis.service: http webshell
Registered by: HTTP_lua
analysis.service: http webshell error
Registered by: HTTP_lua
analysis.service: http webshell no error
Registered by: HTTP_lua
analysis.service: http wget direct to ip
Registered by: HTTP_lua
analysis.service: http with base64
Registered by: HTTP_lua
analysis.service: http with binary
Registered by: HTTP_lua
analysis.service: inbound email
Registered by: MAIL_lua
Description: Email source is external to the environment.
Reason: Filter for incoming email.
analysis.service: large session dns port
Registered by: DNS_verbose_lua
Description: An outbound large non-DNS session using port 53.
Reason: Suspicious session attempting to masquerade as DNS.
analysis.service: large session dns service
Registered by: DNS_verbose_lua
Description: An unusually large outbound DNS session.
Reason: DNS sessions are typically small. Larger sessions could be indicative of tunnelling or covert communications.
analysis.service: loopback resolution of non-local name
Registered by: DNS_verbose_lua
Description: A name external to the environment resolves to the host loopback address.
Reason: Tactic used by proxy malware.
analysis.service: named pipe
Registered by: SMB_lua
analysis.service: outbound dns
Registered by: DNS_verbose_lua
Description: DNS request to a server not local to the environment.
Reason: Clients typically make requests to local DNS servers. Possibly indicative of attempts to block DNS-based restrictions.
analysis.service: possible base64 http form data
Registered by: Form_Data_lua
analysis.service: quic
Registered by: QUIC
Description: google quic protocol
Reason: encryption
analysis.service: received header IP mismatch
Registered by: MAIL_lua
Description: The reverse of a client email server's hostname differs from the IP address from which it connected.
Reason: Attempt to masquerade as a legitimate host.
analysis.service: received header hostname mismatch
Registered by: MAIL_lua
Description: A client email server claims to be a host other than the reverse of its IP address.
Reason: Attempt to masquerade as a legitimate host.
analysis.service: screen resolution
Registered by: RDP_lua
analysis.service: smb at command
Registered by: SMB_lua
analysis.service: smtp forged sender
Registered by: MAIL_lua
Description: SMTP protocol sender doesn't match envelope sender
Reason: Commonly seen from distribution lists, etc. When combined with other characteristics, possibily indicative of phishing.
analysis.service: sni localhost
Registered by: TLS_lua
Description: the server name indicator in an outbound TLS session is 'localhost'
analysis.service: ssh protocol version 1
Registered by: SSH_lua
analysis.service: ssl sni doesn't match http host
Registered by: TLS_lua
Description: an http client specified different hostnames for an HTTP request and and SSL request to the same server
Reason: A domain fronting technique that can be used by malware hiding its true destination. Is also commonly used legitimately by Content Delivery Networks. Requires HTTP_lua.
analysis.service: subject phish
Registered by: MAIL_lua
Description: Incoming email from an uncommon source with a subject containing a important seeming keyword.
Reason: Characteristics common to phishing emails.
analysis.service: suspicious traffic port 53
Registered by: DNS_verbose_lua
Description: Non-DNS session on port 53.
Reason: Suspicious session attempting to masquerade as DNS.
analysis.service: suspiciously named domain
Registered by: TLD_lua
analysis.service: tld not com net org
Registered by: TLD_lua
analysis.service: tunnel service
Registered by: DynDNS
analysis.service: uncommon mail source
Registered by: MAIL_lua
Description: Incoming email from a source not commonly known for sending email.
Reason: Filter for incoming email.
analysis.service: watchlist file extension
Registered by: HTTP_lua
analysis.service: watchlist file fingerprint
Registered by: HTTP_lua
analysis.service: websocket
Registered by: HTTP_lua
Description: Websocket session
analysis.service: windows cli admin commands
Registered by: windows_command_shell_lua
analysis.service: windows command shell
Registered by: windows_command_shell_lua
analysis.service: windows powershell
Registered by: windows_command_shell_lua
analysis.session: binary handshake
Registered by: session_analysis
analysis.session: binary indicator
Registered by: session_analysis
analysis.session: data push
Registered by: session_analysis
Description: Only the PSH and ACK flags were seen in the session.
analysis.session: eicar test string
Registered by: eicar
Description: eicar test string detected
Reason: validation of visibility
analysis.session: first carve
Registered by: session_analysis
analysis.session: first carve not dns
Registered by: session_analysis
analysis.session: first carve not top 20 dst
Registered by: session_analysis
analysis.session: high transmitted outbound
Registered by: session_analysis
analysis.session: host no response
Registered by: session_analysis
Description: Only the SYN flag was seen in the session.
Reason: Client attempted to connect to a server which did not respond.
analysis.session: host not listening
Registered by: session_analysis
Description: Only the SYN and RST, or SYN, RST and ACK flags were seen in the session.
Reason: Client attempted to connect to a server on a closed port.
analysis.session: icmp large session
Registered by: session_analysis
analysis.session: icmp tunnel
Registered by: session_analysis
analysis.session: inbound traffic
Registered by: session_analysis
analysis.session: large icmp request frame
Registered by: ICMP
analysis.session: large icmp response frame
Registered by: ICMP
analysis.session: long connection
Registered by: session_analysis
analysis.session: medium transmitted outbound
Registered by: session_analysis
analysis.session: not top 20 dst
Registered by: traffic_flow
analysis.session: outbound syslog
Registered by: session_analysis
analysis.session: potential beacon
Registered by: session_analysis
analysis.session: ratio high transmitted
Registered by: session_analysis
analysis.session: ratio low transmitted
Registered by: session_analysis
analysis.session: ratio medium transmitted
Registered by: session_analysis
analysis.session: request no payload
Registered by: session_analysis
Description: no payload was sent from the client to the server
Reason: possibly indicative of beaconing
analysis.session: reserved icmp type
Registered by: ICMP
analysis.session: response no payload
Registered by: session_analysis
Description: no payload was sent from the server to the client
Reason: possibly indicative of exfiltration or beaconing
analysis.session: session size 0-5k
Registered by: session_analysis
analysis.session: session size 10-50k
Registered by: session_analysis
analysis.session: session size 100-250k
Registered by: session_analysis
analysis.session: session size 5-10k
Registered by: session_analysis
analysis.session: session size 50-100k
Registered by: session_analysis
analysis.session: single sided tcp
Registered by: session_analysis
analysis.session: single sided udp
Registered by: session_analysis
analysis.session: suspicious other
Registered by: session_analysis
analysis.session: suspicious other bad org
Registered by: session_analysis
analysis.session: tcp flags all
Registered by: session_analysis
Description: All possible TCP flags were seen in the session.
Reason: It is unusual for all flags to be used in any session.
analysis.session: tcp flags null
Registered by: session_analysis
Description: No TCP flags were seen in a TCP session.
Reason: At a minimum a TCP session will contain ACK.
analysis.session: teredo tunnel
Registered by: teredo
Description: session is a teredo (IPv6-in-IPv4) tunnel
Reason: if not expected, may be indicative of covert communication such as command/control or exfiltration
analysis.session: watchlist dst
Registered by: traffic_flow
analysis.session: watchlist port
Registered by: session_analysis
analysis.session: zero payload
Registered by: session_analysis
boc: SSL client suspicious ciphersuites
Registered by: TLS_lua
Description: Client offered RSA_WITH_RC4_128_MD5, RSA_WITH_RC4_128_SHA, or RSA_WITH_3DES_EDE_CBC_SHA without offering RSA_WITH_AES_128_CBC_SHA or RSA_WITH_AES_256_CBC_SHA.
Reason: Behavior commonly seen from malware SSL clients.
boc: accesses administrative share using command shell
Registered by: accesses_administrative_share_using_command_shell.nwr
boc: add user to domain group
Registered by: DCERPC,SMB_lua
boc: adds firewall rule
Registered by: adds_firewall_rule.nwr
boc: allocates remote memory
Registered by: allocates_remote_memory.nwr
boc: archiving software reads multiple documents
Registered by: archiving_software_reads_multiple_documents.nwr
boc: autorun unsigned winlogon helper dll
Registered by: autorun_unsigned_winlogon_helper_dll.nwr
boc: browser runs command prompt
Registered by: browser_runs_command_prompt.nwr
boc: browser runs mshta
Registered by: browser_runs_mshta.nwr
boc: browser runs powershell
Registered by: browser_runs_powershell.nwr
boc: builds script incrementally
Registered by: builds_script_incrementally.nwr
boc: change remote service config
Registered by: DCERPC,SMB_lua
boc: clear remote event log
Registered by: DCERPC,SMB_lua
boc: clears security event log
Registered by: clears_security_event_log.nwr
boc: clears system event log
Registered by: clears_system_event_log.nwr
boc: combines binaries using command prompt
Registered by: combines_binaries_using_command_prompt.nwr
boc: command line usage of archiving software
Registered by: command_line_usage_of_archiving_software.nwr
boc: command prompt obfuscation
Registered by: command_prompt_obfuscation.nwr
boc: command prompt obfuscation using value extraction
Registered by: command_prompt_obfuscation_using_value_extraction.nwr
boc: command shell copy items
Registered by: command_shell_copy_items.nwr
boc: configures port redirection
Registered by: configures_port_redirection.nwr
boc: copies binary over administrative share
Registered by: copies_binary_over_administrative_share.nwr
boc: create remote registry key
Registered by: DCERPC,SMB_lua
boc: create remote service
Registered by: DCERPC,SMB_lua
boc: create remote task
Registered by: DCERPC,SMB_lua
boc: created in last month
Registered by: created_in_last_month.nwr
boc: creates browser extension
Registered by: creates_browser_extension.nwr
boc: creates domain user account
Registered by: creates_domain_user_account.nwr
boc: creates executable in startup directory
Registered by: creates_executable_in_startup_directory.nwr
boc: creates local driver service
Registered by: creates_local_driver_service.nwr
boc: creates local service
Registered by: creates_local_service.nwr
boc: creates local task
Registered by: creates_local_task.nwr
boc: creates local user account
Registered by: creates_local_user_account.nwr
boc: creates password-protected archive
Registered by: creates_password-protected_archive.nwr
boc: creates recursive archive
Registered by: creates_recursive_archive.nwr
boc: creates remote process using wmi command-line tool
Registered by: creates_remote_process_using_wmi_command-line_tool.nwr
boc: creates remote service
Registered by: creates_remote_service.nwr
boc: creates remote task
Registered by: creates_remote_task.nwr
boc: creates run key
Registered by: creates_run_key.nwr
boc: creates shadow volume for logical drive
Registered by: creates_shadow_volume_for_logical_drive.nwr
boc: creates suspicious service running command prompt
Registered by: creates_suspicious_service_running_command_prompt.nwr
boc: deletes backup catalog
Registered by: deletes_backup_catalog.nwr
boc: deletes firewall rule
Registered by: deletes_firewall_rule.nwr
boc: deletes shadow volume copies
Registered by: deletes_shadow_volume_copies.nwr
boc: deletes usn change journal
Registered by: deletes_usn_change_journal.nwr
boc: disables firewall
Registered by: disables_firewall.nwr
boc: disables security service
Registered by: disables_security_service.nwr
boc: disables startup repair
Registered by: disables_startup_repair.nwr
boc: disables uac
Registered by: disables_uac.nwr
boc: disables uac remote restrictions
Registered by: disables_uac_remote_restrictions.nwr
boc: disables windows defender using powershell
Registered by: disables_windows_defender_using_powershell.nwr
boc: downloads binary using certutil
Registered by: downloads_binary_using_certutil.nwr
boc: dumps dns cache
Registered by: dumps_dns_cache.nwr
boc: enables cleartext credential storage
Registered by: enables_cleartext_credential_storage.nwr
boc: enables rdp from command-line
Registered by: enables_rdp_from_command-line.nwr
boc: enumerate domain group
Registered by: DCERPC,SMB_lua
boc: enumerate domain users
Registered by: DCERPC,SMB_lua
boc: enumerate remote resources
Registered by: DCERPC,SMB_lua
boc: enumerate remote sessions
Registered by: DCERPC,SMB_lua
boc: enumerates arp table
Registered by: enumerates_arp_table.nwr
boc: enumerates available systems on network
Registered by: enumerates_available_systems_on_network.nwr
boc: enumerates domain account policy
Registered by: enumerates_domain_account_policy.nwr
boc: enumerates domain administrators
Registered by: enumerates_domain_administrators.nwr
boc: enumerates domain computers
Registered by: enumerates_domain_computers.nwr
boc: enumerates domain controllers
Registered by: enumerates_domain_controllers.nwr
boc: enumerates domain groups
Registered by: enumerates_domain_groups.nwr
boc: enumerates domain users
Registered by: enumerates_domain_users.nwr
boc: enumerates enterprise administrators
Registered by: enumerates_enterprise_administrators.nwr
boc: enumerates exchange domain servers
Registered by: enumerates_exchange_domain_servers.nwr
boc: enumerates exchange servers
Registered by: enumerates_exchange_servers.nwr
boc: enumerates ip configuration
Registered by: enumerates_ip_configuration.nwr
boc: enumerates local account policy
Registered by: enumerates_local_account_policy.nwr
boc: enumerates local administrators
Registered by: enumerates_local_administrators.nwr
boc: enumerates local administrators on domain controller
Registered by: enumerates_local_administrators_on_domain_controller.nwr
boc: enumerates local groups
Registered by: enumerates_local_groups.nwr
boc: enumerates local services
Registered by: enumerates_local_services.nwr
boc: enumerates local users
Registered by: enumerates_local_users.nwr
boc: enumerates logical disk
Registered by: enumerates_logical_disk.nwr
boc: enumerates mapped resources
Registered by: enumerates_mapped_resources.nwr
boc: enumerates network connections
Registered by: enumerates_network_connections.nwr
boc: enumerates primary domain controller
Registered by: enumerates_primary_domain_controller.nwr
boc: enumerates processes on local system
Registered by: enumerates_processes_on_local_system.nwr
boc: enumerates processes on remote system
Registered by: enumerates_processes_on_remote_system.nwr
boc: enumerates remote netbios name table
Registered by: enumerates_remote_netbios_name_table.nwr
boc: enumerates remote resources
Registered by: enumerates_remote_resources.nwr
boc: enumerates route table
Registered by: enumerates_route_table.nwr
boc: enumerates services hosted in processes
Registered by: enumerates_services_hosted_in_processes.nwr
boc: enumerates system info
Registered by: enumerates_system_info.nwr
boc: enumerates trusted domains
Registered by: enumerates_trusted_domains.nwr
boc: evasive powershell used over network
Registered by: evasive_powershell_used_over_network.nwr
boc: event viewer executes uncommon binary
Registered by: event_viewer_executes_uncommon_binary.nwr
boc: execute dll through rundll32
Registered by: execute_dll_through_rundll32.nwr
boc: explorer public folder dll load
Registered by: explorer_public_folder_dll_load.nwr
boc: exports sensitive registry hive
Registered by: exports_sensitive_registry_hive.nwr
boc: extracts password-protected archive
Registered by: extracts_password-protected_archive.nwr
boc: get remote time
Registered by: DCERPC,SMB_lua
boc: gets current user as system
Registered by: gets_current_user_as_system.nwr
boc: gets current username
Registered by: gets_current_username.nwr
boc: gets current username and group information
Registered by: gets_current_username_and_group_information.nwr
boc: gets hostname
Registered by: gets_hostname.nwr
boc: gets remote time
Registered by: gets_remote_time.nwr
boc: hidden and hooking
Registered by: hidden_and_hooking.nwr
boc: hidden running as root
Registered by: hidden_running_as_root.nwr
boc: http daemon runs command prompt
Registered by: http_daemon_runs_command_prompt.nwr
boc: http daemon runs powershell
Registered by: http_daemon_runs_powershell.nwr
boc: http daemon runs reconnaissance tool
Registered by: http_daemon_runs_reconnaissance_tool.nwr
boc: http daemon writes executable
Registered by: http_daemon_writes_executable.nwr
boc: in root of logical drive
Registered by: in_root_of_logical_drive.nwr
boc: in root of users directory
Registered by: in_root_of_users_directory.nwr
boc: installs root certificate
Registered by: installs_root_certificate.nwr
boc: lateral movement with credentials using net utility
Registered by: lateral_movement_with_credentials_using_net_utility.nwr
boc: lists anti-spyware products
Registered by: lists_anti-spyware_products.nwr
boc: lists antivirus products
Registered by: lists_antivirus_products.nwr
boc: lists firewall products
Registered by: lists_firewall_products.nwr
boc: maps administrative share
Registered by: maps_administrative_share.nwr
boc: maps ipc$ share
Registered by: maps_ipc$_share.nwr
boc: modifies registry using command-line registry tool
Registered by: modifies_registry_using_command-line_registry_tool.nwr
boc: modifies run key
Registered by: modifies_run_key.nwr
boc: modifies shell-open-command file association
Registered by: modifies_shell-open-command_file_association.nwr
boc: mshta runs command prompt
Registered by: mshta_runs_command_prompt.nwr
boc: mshta runs powershell
Registered by: mshta_runs_powershell.nwr
boc: mshta runs scripting engine
Registered by: mshta_runs_scripting_engine.nwr
boc: network access
Registered by: network_access.nwr
boc: non-microsoft modifies bad certificate warning setting
Registered by: non-microsoft_modifies_bad_certificate_warning_setting.nwr
boc: non-microsoft modifies firewall policy
Registered by: non-microsoft_modifies_firewall_policy.nwr
boc: non-microsoft modifies internet zone setting
Registered by: non-microsoft_modifies_internet_zone_setting.nwr
boc: non-microsoft modifies lua setting
Registered by: non-microsoft_modifies_lua_setting.nwr
boc: non-microsoft modifies registry editor setting
Registered by: non-microsoft_modifies_registry_editor_setting.nwr
boc: non-microsoft modifies security center config
Registered by: non-microsoft_modifies_security_center_config.nwr
boc: non-microsoft modifies services imagepath
Registered by: non-microsoft_modifies_services_imagepath.nwr
boc: non-microsoft modifies task manager setting
Registered by: non-microsoft_modifies_task_manager_setting.nwr
boc: non-microsoft modifies windows system policy
Registered by: non-microsoft_modifies_windows_system_policy.nwr
boc: non-microsoft modifies zone crossing warning setting
Registered by: non-microsoft_modifies_zone_crossing_warning_setting.nwr
boc: office application crashed
Registered by: office_application_crashed.nwr
boc: office application injects remote process
Registered by: office_application_injects_remote_process.nwr
boc: office application runs bits
Registered by: office_application_runs_bits.nwr
boc: office application runs command prompt
Registered by: office_application_runs_command_prompt.nwr
boc: office application runs powershell
Registered by: office_application_runs_powershell.nwr
boc: office application runs scripted ftp
Registered by: office_application_runs_scripted_ftp.nwr
boc: office application runs scripting engine
Registered by: office_application_runs_scripting_engine.nwr
boc: office application runs task scheduler
Registered by: office_application_runs_task_scheduler.nwr
boc: office application runs wmi scripting engine
Registered by: office_application_runs_wmi_scripting_engine.nwr
boc: office application writes executable
Registered by: office_application_writes_executable.nwr
boc: opens browser process
Registered by: opens_browser_process.nwr
boc: opens os process
Registered by: opens_os_process.nwr
boc: opens process
Registered by: opens_process.nwr
boc: os process runs command shell
Registered by: os_process_runs_command_shell.nwr
boc: outbound from unsigned appdata directory
Registered by: outbound_from_unsigned_appdata_directory.nwr
boc: outbound from unsigned temporary directory
Registered by: outbound_from_unsigned_temporary_directory.nwr
boc: outbound from windows directory
Registered by: outbound_from_windows_directory.nwr
boc: outbound session greater than 1gb
Registered by: outbound_session_greater_than_1gb.nwr
boc: outbound session greater than 500mb
Registered by: outbound_session_greater_than_500mb.nwr
boc: performs scripted file transfer
Registered by: performs_scripted_file_transfer.nwr
boc: possibly configures uac bypass
Registered by: possibly_configures_uac_bypass.nwr
boc: possibly renamed net.exe detected
Registered by: possibly_renamed_net.exe_detected.nwr
boc: potential outlook exploit
Registered by: potential_outlook_exploit.nwr
boc: powershell command using string manipulation
Registered by: powershell_command_using_string_manipulation.nwr
boc: powershell injects remote process
Registered by: powershell_injects_remote_process.nwr
boc: powershell opens lsass process
Registered by: powershell_opens_lsass_process.nwr
boc: powershell runs command prompt
Registered by: powershell_runs_command_prompt.nwr
boc: powershell runs scripting engine
Registered by: powershell_runs_scripting_engine.nwr
boc: process redirects to stdout or stderr
Registered by: process_redirects_to_stdout_or_stderr.nwr
boc: psexesvc runs powershell
Registered by: psexesvc_runs_powershell.nwr
boc: psexesvc runs scripting engine
Registered by: psexesvc_runs_scripting_engine.nwr
boc: psexesvc runs shell commands
Registered by: psexesvc_runs_shell_commands.nwr
boc: queries processes on local system
Registered by: queries_processes_on_local_system.nwr
boc: queries processes on remote system
Registered by: queries_processes_on_remote_system.nwr
boc: queries registry using command-line registry tool
Registered by: queries_registry_using_command-line_registry_tool.nwr
boc: queries terminal sessions
Registered by: queries_terminal_sessions.nwr
boc: queries users logged on local system
Registered by: queries_users_logged_on_local_system.nwr
boc: queries users logged on remote system
Registered by: queries_users_logged_on_remote_system.nwr
boc: rdp launching loopback address
Registered by: rdp_launching_loopback_address.nwr
boc: record screen captures using psr tool
Registered by: record_screen_captures_using_psr_tool.nwr
boc: registers shim database
Registered by: registers_shim_database.nwr
boc: regsvr32 creates windows task
Registered by: regsvr32_creates_windows_task.nwr
boc: regsvr32 runs powershell
Registered by: regsvr32_runs_powershell.nwr
boc: regsvr32 runs rundll32
Registered by: regsvr32_runs_rundll32.nwr
boc: regsvr32 writes executable
Registered by: regsvr32_writes_executable.nwr
boc: remote directory traversal
Registered by: remote_directory_traversal.nwr
boc: remote scheduled task
Registered by: SMB_lua
boc: remote service control
Registered by: SMB_lua
boc: remote wmi activity
Registered by: DCERPC,SMB_lua
boc: rundll32 creates windows task
Registered by: rundll32_creates_windows_task.nwr
boc: rundll32 runs powershell
Registered by: rundll32_runs_powershell.nwr
boc: runs acl management tool
Registered by: runs_acl_management_tool.nwr
boc: runs active directory service query tool
Registered by: runs_active_directory_service_query_tool.nwr
boc: runs binary located in recycle bin directory
Registered by: runs_binary_located_in_recycle_bin_directory.nwr
boc: runs binary located in root of logical drive
Registered by: runs_binary_located_in_root_of_logical_drive.nwr
boc: runs binary located in root of program directory
Registered by: runs_binary_located_in_root_of_program_directory.nwr
boc: runs binary located in root of users directory
Registered by: runs_binary_located_in_root_of_users_directory.nwr
boc: runs binary located in system volume information directory
Registered by: runs_binary_located_in_system_volume_information_directory.nwr
boc: runs certutil with decode arguments
Registered by: runs_certutil_with_decode_arguments.nwr
boc: runs certutil with encode arguments
Registered by: runs_certutil_with_encode_arguments.nwr
boc: runs certutil with hashfile arguments
Registered by: runs_certutil_with_hashfile_arguments.nwr
boc: runs chained command shell
Registered by: runs_chained_command_shell.nwr
boc: runs credential dumping tools
Registered by: runs_credential_dumping_tools.nwr
boc: runs dns lookup tool
Registered by: runs_dns_lookup_tool.nwr
boc: runs dns lookup tool for txt record
Registered by: runs_dns_lookup_tool_for_txt_record.nwr
boc: runs file attributes modification tool
Registered by: runs_file_attributes_modification_tool.nwr
boc: runs file transfer tool
Registered by: runs_file_transfer_tool.nwr
boc: runs forfiles.exe
Registered by: runs_forfiles.exe.nwr
boc: runs mshta with http argument
Registered by: runs_mshta_with_http_argument.nwr
boc: runs mshta with script argument
Registered by: runs_mshta_with_script_argument.nwr
boc: runs msiexec with http argument
Registered by: runs_msiexec_with_http_argument.nwr
boc: runs network configuration tool
Registered by: runs_network_configuration_tool.nwr
boc: runs network connectivity tool
Registered by: runs_network_connectivity_tool.nwr
boc: runs one letter executable
Registered by: runs_one_letter_executable.nwr
boc: runs one letter script
Registered by: runs_one_letter_script.nwr
boc: runs powershell
Registered by: runs_powershell.nwr
boc: runs powershell bypassing execution policy
Registered by: runs_powershell_bypassing_execution_policy.nwr
boc: runs powershell decoding base64 string
Registered by: runs_powershell_decoding_base64_string.nwr
boc: runs powershell defining function
Registered by: runs_powershell_defining_function.nwr
boc: runs powershell downloading content
Registered by: runs_powershell_downloading_content.nwr
boc: runs powershell memory stream function
Registered by: runs_powershell_memory_stream_function.nwr
boc: runs powershell shellexecute function
Registered by: runs_powershell_shellexecute_function.nwr
boc: runs powershell using encoded command
Registered by: runs_powershell_using_encoded_command.nwr
boc: runs powershell using environment variables
Registered by: runs_powershell_using_environment_variables.nwr
boc: runs powershell with hidden window
Registered by: runs_powershell_with_hidden_window.nwr
boc: runs powershell with http argument
Registered by: runs_powershell_with_http_argument.nwr
boc: runs powershell with long arguments
Registered by: runs_powershell_with_long_arguments.nwr
boc: runs psexec on remote system and silently accepts user license
Registered by: runs_psexec_on_remote_system_and_silently_accepts_user_license.nwr
boc: runs psexec on remote system as system user
Registered by: runs_psexec_on_remote_system_as_system_user.nwr
boc: runs registry tool
Registered by: runs_registry_tool.nwr
boc: runs regsvr32 com scriplets
Registered by: runs_regsvr32_com_scriplets.nwr
boc: runs regsvr32 using one letter dll
Registered by: runs_regsvr32_using_one_letter_dll.nwr
boc: runs regsvr32 with http argument
Registered by: runs_regsvr32_with_http_argument.nwr
boc: runs regsvr32 without arguments
Registered by: runs_regsvr32_without_arguments.nwr
boc: runs remote execution tool
Registered by: runs_remote_execution_tool.nwr
boc: runs remote powershell command
Registered by: runs_remote_powershell_command.nwr
boc: runs robocopy.exe
Registered by: runs_robocopy.exe.nwr
boc: runs rundll32 using one letter dll
Registered by: runs_rundll32_using_one_letter_dll.nwr
boc: runs rundll32 with http argument
Registered by: runs_rundll32_with_http_argument.nwr
boc: runs rundll32 with javascript argument
Registered by: runs_rundll32_with_javascript_argument.nwr
boc: runs rundll32 without arguments
Registered by: runs_rundll32_without_arguments.nwr
boc: runs scripting engine
Registered by: runs_scripting_engine.nwr
boc: runs scripting engine in batch mode using execution engine argument
Registered by: runs_scripting_engine_in_batch_mode_using_execution_engine_argument.nwr
boc: runs service control tool
Registered by: runs_service_control_tool.nwr
boc: runs shim database installer
Registered by: runs_shim_database_installer.nwr
boc: runs tasks management tool
Registered by: runs_tasks_management_tool.nwr
boc: runs waitfor.exe
Registered by: runs_waitfor.exe.nwr
boc: runs wmi command-line tool
Registered by: runs_wmi_command-line_tool.nwr
boc: runs wmi scripting engine
Registered by: runs_wmi_scripting_engine.nwr
boc: runs xcopy.exe
Registered by: runs_xcopy.exe.nwr
boc: scripting engine injects remote process
Registered by: scripting_engine_injects_remote_process.nwr
boc: scripting engine runs powershell
Registered by: scripting_engine_runs_powershell.nwr
boc: scripting engine runs regsvr32
Registered by: scripting_engine_runs_regsvr32.nwr
boc: scripting engine runs rundll32
Registered by: scripting_engine_runs_rundll32.nwr
boc: self signed
Registered by: self_signed.nwr
boc: services runs command shell
Registered by: services_runs_command_shell.nwr
boc: set remote registry key
Registered by: DCERPC,SMB_lua
boc: shut down remote system
Registered by: DCERPC,SMB_lua
boc: start remote service
Registered by: DCERPC,SMB_lua
boc: starts local service
Registered by: starts_local_service.nwr
boc: starts rdp service
Registered by: starts_rdp_service.nwr
boc: starts remote service
Registered by: starts_remote_service.nwr
boc: stops error reporting service
Registered by: stops_error_reporting_service.nwr
boc: stops security service
Registered by: stops_security_service.nwr
boc: stops windows update service
Registered by: stops_windows_update_service.nwr
boc: suspicious tcp beaconing
Registered by: session_analysis
boc: system integrity protection disabled
Registered by: system_integrity_protection_disabled.nwr
boc: terminates process
Registered by: terminates_process.nwr
boc: unexpected csrss.exe parent
Registered by: unexpected_csrss.exe_parent.nwr
boc: unexpected explorer.exe parent
Registered by: unexpected_explorer.exe_parent.nwr
boc: unexpected lsass.exe parent
Registered by: unexpected_lsass.exe_parent.nwr
boc: unexpected lsm.exe parent
Registered by: unexpected_lsm.exe_parent.nwr
boc: unexpected msdtc.exe parent
Registered by: unexpected_msdtc.exe_parent.nwr
boc: unexpected runtimebroker.exe parent
Registered by: unexpected_runtimebroker.exe_parent.nwr
boc: unexpected services.exe parent
Registered by: unexpected_services.exe_parent.nwr
boc: unexpected smss.exe parent
Registered by: unexpected_smss.exe_parent.nwr
boc: unexpected svchost arguments
Registered by: unexpected_svchost_arguments.nwr
boc: unexpected svchost.exe parent
Registered by: unexpected_svchost.exe_parent.nwr
boc: unexpected taskhostw.exe parent
Registered by: unexpected_taskhostw.exe_parent.nwr
boc: unexpected wininit.exe parent
Registered by: unexpected_wininit.exe_parent.nwr
boc: unexpected winlogon.exe parent
Registered by: unexpected_winlogon.exe_parent.nwr
boc: unknown segment
Registered by: unknown_segment.nwr
boc: unsigned copies self
Registered by: unsigned_copies_self.nwr
boc: unsigned creates remote thread
Registered by: unsigned_creates_remote_thread.nwr
boc: unsigned creates remote thread and file hidden
Registered by: unsigned_creates_remote_thread_and_file_hidden.nwr
boc: unsigned cron job
Registered by: unsigned_cron_job.nwr
boc: unsigned deletes self
Registered by: unsigned_deletes_self.nwr
boc: unsigned kext
Registered by: unsigned_kext.nwr
boc: unsigned module in signed process
Registered by: unsigned_module_in_signed_process.nwr
boc: unsigned opens lsass
Registered by: unsigned_opens_lsass.nwr
boc: unsigned runs python
Registered by: unsigned_runs_python.nwr
boc: unsigned writes executable
Registered by: unsigned_writes_executable.nwr
boc: unsigned writes executable to appdatalocal directory
Registered by: unsigned_writes_executable_to_appdatalocal_directory.nwr
boc: unsigned writes executable to appdataroaming directory
Registered by: unsigned_writes_executable_to_appdataroaming_directory.nwr
boc: unsigned writes executable to library application support directory
Registered by: unsigned_writes_executable_to_library_application_support_directory.nwr
boc: unsigned writes executable to library directory
Registered by: unsigned_writes_executable_to_library_directory.nwr
boc: unsigned writes executable to library preferences directory
Registered by: unsigned_writes_executable_to_library_preferences_directory.nwr
boc: unsigned writes executable to scripting additions directory
Registered by: unsigned_writes_executable_to_scripting_additions_directory.nwr
boc: unsigned writes executable to system directory
Registered by: unsigned_writes_executable_to_system_directory.nwr
boc: unsigned writes executable to var directory
Registered by: unsigned_writes_executable_to_var_directory.nwr
boc: unsigned writes executable to windows directory
Registered by: unsigned_writes_executable_to_windows_directory.nwr
boc: unsigned writes to autorun
Registered by: unsigned_writes_to_autorun.nwr
boc: uses mach injection
Registered by: uses_mach_injection.nwr
boc: uses mach override
Registered by: uses_mach_override.nwr
boc: windows task runs powershell
Registered by: windows_task_runs_powershell.nwr
boc: wmi level 1 login
Registered by: SMB_lua
boc: wmic remote node activity
Registered by: wmic_remote_node_activity.nwr
boc: wmiprvse runs command shell
Registered by: wmiprvse_runs_command_shell.nwr
boc: wmiprvse runs powershell
Registered by: wmiprvse_runs_powershell.nwr
boc: wmiprvse runs scripting engine
Registered by: wmiprvse_runs_scripting_engine.nwr
boc: writes executable to recycle bin directory
Registered by: writes_executable_to_recycle_bin_directory.nwr
boc: writes executable to root of logical drive
Registered by: writes_executable_to_root_of_logical_drive.nwr
boc: writes executable to root of program directory
Registered by: writes_executable_to_root_of_program_directory.nwr
boc: writes executable to root of users directory
Registered by: writes_executable_to_root_of_users_directory.nwr
boc: writes executable to system volume information directory
Registered by: writes_executable_to_system_volume_information_directory.nwr
eoc: SMB v1 Request
Registered by: SMB_lua
Description: client issued an SMB version 1 request
Reason: SMB version 1 is a common source of vulnerability
eoc: SMB v1 Response
Registered by: SMB_lua
Description: server issued an SMB version 1 response
Reason: SMB version 1 is a common source of vulnerability
eoc: SSL server suspicious ciphersuite
Registered by: TLS_lua
Description: Server agreed to use RSA_WITH_RC4_128_MD5, RSA_WITH_RC4_128_SHA, or RSA_WITH_3DES_EDE_CBC_SHA.
Reason: Weak algorithms commonly offered by malware SSL clients, and which should be disabled for a well-configured, trustworthy SSL server.
eoc: antivirus disabled
Registered by: antivirus_disabled.nwr
eoc: bad certificate warning disabled
Registered by: bad_certificate_warning_disabled.nwr
eoc: command line writes script files
Registered by: command_line_writes_script_files.nwr
eoc: dyld inserted
Registered by: dyld_inserted.nwr
eoc: employer identification number
Registered by: ein_detection_lua
eoc: file vault disabled
Registered by: file_vault_disabled.nwr
eoc: gatekeeper disabled
Registered by: gatekeeper_disabled.nwr
eoc: html form external submission
Registered by: HTML_threat
eoc: html hidden div
Registered by: HTML_threat
eoc: html hidden post
Registered by: HTML_threat
eoc: html hidden span
Registered by: HTML_threat
eoc: html iframe external reference
Registered by: HTML_threat
eoc: ie dep disabled
Registered by: ie_dep_disabled.nwr
eoc: ie enhanced security disabled
Registered by: ie_enhanced_security_disabled.nwr
eoc: kext signature validation disabled
Registered by: kext_signature_validation_disabled.nwr
eoc: login bypass configured
Registered by: login_bypass_configured.nwr
eoc: lua disabled
Registered by: lua_disabled.nwr
eoc: mac firewall disabled
Registered by: mac_firewall_disabled.nwr
eoc: no antivirus notification disabled
Registered by: no_antivirus_notification_disabled.nwr
eoc: no firewall notification disabled
Registered by: no_firewall_notification_disabled.nwr
eoc: no uac notification disabled
Registered by: no_uac_notification_disabled.nwr
eoc: no windows update notification disabled
Registered by: no_windows_update_notification_disabled.nwr
eoc: openssl vulnerable to heartbleed
Registered by: TLS_lua
eoc: registry tools disabled
Registered by: registry_tools_disabled.nwr
eoc: rpm ownership changed
Registered by: rpm_ownership_changed.nwr
eoc: rpm permissions changed
Registered by: rpm_permissions_changed.nwr
eoc: safari fraud website warning disabled
Registered by: safari_fraud_website_warning_disabled.nwr
eoc: scripting addition in process
Registered by: scripting_addition_in_process.nwr
eoc: smartscreen filter disabled
Registered by: smartscreen_filter_disabled.nwr
eoc: sudo no password prompt
Registered by: sudo_no_password_prompt.nwr
eoc: system restore disabled
Registered by: system_restore_disabled.nwr
eoc: task manager disabled
Registered by: task_manager_disabled.nwr
eoc: uac disabled
Registered by: uac_disabled.nwr
eoc: warning on post redirect disabled
Registered by: warning_on_post_redirect_disabled.nwr
eoc: windows firewall disabled
Registered by: windows_firewall_disabled.nwr
eoc: windows update disabled
Registered by: windows_update_disabled.nwr
ioc: Crimeware Black Hole Exploit Kit
Registered by: HTTP_lua
ioc: Crimeware Zeus
Registered by: HTTP_lua
ioc: Crimeware Zeus Knownbad
Registered by: HTTP_lua
ioc: CustomTCP shell
Registered by: CustomTCP
ioc: Elderwood XMailer Artifact
Registered by: MAIL_lua
Description: Email client seen involved with the Elder Wood campaign.
Reason: Indicates that an email is likely a phishing attempt.
ioc: Known Bad File Name
Registered by: HTTP_lua
ioc: Known Bad UA CertUtil
Registered by: HTTP_lua
ioc: Known Bad UA CredentialLeak
Registered by: HTTP_lua
ioc: Known Bad UA IE6Beta
Registered by: HTTP_lua
ioc: Known Bad UA UPSPhishing
Registered by: HTTP_lua
ioc: Possible Poison Ivy
Registered by: session_analysis
ioc: SMBGhost exploit attempt
Registered by: SMB_lua
Description: attempt to exploit CVE-2020-0796
Reason: remote denial of service
ioc: Trojan/Napolor
Registered by: HTTP_lua
ioc: Xtreme RAT
Registered by: HTTP_lua
ioc: activates bits job
Registered by: activates_bits_job.nwr
ioc: adds files to bits download job
Registered by: adds_files_to_bits_download_job.nwr
ioc: apache struts CVE-2017-12611 attempt
Registered by: HTTP_lua
ioc: apache struts CVE-2017-9805 attempt
Registered by: struts_exploit
ioc: apache struts exploit attempt
Registered by: HTTP_lua
ioc: apt ActiveMonk UA
Registered by: HTTP_lua
ioc: apt Deep Panda C2
Registered by: HTTP_lua
ioc: apt Foxy RAT
Registered by: HTTP_lua
ioc: apt Lurid RAT
Registered by: HTTP_lua
ioc: apt MSU RAT
Registered by: MSU_rat
ioc: apt MiniASP
Registered by: HTTP_lua
ioc: apt NFlog Rat
Registered by: HTTP_lua
ioc: apt NetTraveler RAT
Registered by: HTTP_lua
ioc: apt PNG Rat
Registered by: HTTP_lua
ioc: apt PhotoASP RAT
Registered by: HTTP_lua
ioc: apt PlugX
Registered by: plugx
ioc: apt PlugX possible
Registered by: plugx
ioc: apt Sykipot Rat
Registered by: HTTP_lua
ioc: apt WebC2 CS
Registered by: HTTP_lua
ioc: apt ZipToken UA Post
Registered by: HTTP_lua
ioc: apt possible invokemimikatz
Registered by: apt_artifacts
ioc: apt possible prefetch deletion
Registered by: apt_artifacts
ioc: apt possible registry deletion
Registered by: apt_artifacts
ioc: apt possible wmic cleareventlog
Registered by: apt_artifacts
ioc: autorun key contains non-printable characters
Registered by: autorun_key_contains_non-printable_characters.nwr
ioc: cerber beacon
Registered by: cerber
ioc: china chopper
Registered by: china_chopper
ioc: chm contains exe
Registered by: fingerprint_chm_lua
ioc: command shell runs rundll32
Registered by: command_shell_runs_rundll32.nwr
ioc: completes bits download job
Registered by: completes_bits_download_job.nwr
ioc: configures image hijacking
Registered by: configures_image_hijacking.nwr
ioc: derusbi server handshake
Registered by: Derusbi_Server_Handshake
ioc: dns exfiltration site
Registered by: DynDNS
ioc: dns with executable
Registered by: DNS_verbose_lua
Description: A DNS session contains an executable filetype.
Reason: DNS sessions should not contain files. Possible malware delivery.
ioc: dns with file
Registered by: DNS_verbose_lua
Description: A DNS session contains a file.
Reason: DNS sessions should not contain files. Possible covert communications.
ioc: dr watson crash report
Registered by: dr_watson_lua
ioc: drops credential dumping tools
Registered by: drops_credential_dumping_tools.nwr
ioc: electricfish authentication
Registered by: electricfish
Description: Possible Electricfish tunnelling protocol session initiation.
Reason: Possible Electricfish tunnelling protocol session initiation.
ioc: emissary malware
Registered by: HTTP_lua
ioc: enables login bypass
Registered by: enables_login_bypass.nwr
ioc: exploit lnk file
Registered by: fingerprint_lnk_lua
ioc: ghost protocol
Registered by: ghost
ioc: heartbleed data leak
Registered by: TLS_lua
ioc: hex encoded executable
Registered by: xor_executable_lua
ioc: homograph detected
Registered by: IDN_homograph
ioc: http tunnel rat
Registered by: HTTP_lua
ioc: java exe
Registered by: HTTP_lua
ioc: java pdf
Registered by: HTTP_lua
ioc: lsass access
Registered by: lsass_access.nwr
ioc: lsass minidump
Registered by: fingerprint_minidump
Description: contents of lsass memory in minidump format
Reason: credential extraction
ioc: malicious file by reputation service
Registered by: malicious_file_by_reputation_service.nwr
ioc: malware sinkhole
Registered by: HTTP_lua
ioc: monero mining
Registered by: JSON-RPC
ioc: mshta writes executable
Registered by: mshta_writes_executable.nwr
ioc: named pipe into lsass
Registered by: named_pipe_into_lsass.nwr
ioc: pass the hash
Registered by: pass_the_hash.nwr
ioc: pdf creates and launches vbs
Registered by: fingerprint_pdf_lua
ioc: pdf launches exe
Registered by: fingerprint_pdf_lua
ioc: pdf with javascript
Registered by: fingerprint_pdf_lua
ioc: pdf with javascript hidden in xfa
Registered by: fingerprint_pdf_lua
ioc: possible CVE-2019-0708 exploit attempt
Registered by: RDP_lua
Description: session matches signature pattern of RDP vulnerability CVE-2019-0708
Reason: attempt to exploit RDP vulnerability CVE-2019-0708
ioc: possible CVE-2020-0601 curveball attempt
Registered by: fingerprint_certificate
ioc: possible base64 windows shell
Registered by: windows_command_shell_lua
ioc: possible evilgrab traffic
Registered by: Evilgrab
ioc: possible login bypass
Registered by: possible_login_bypass.nwr
ioc: possible malware user-agent
Registered by: HTTP_lua
ioc: possible mimikatz activity
Registered by: possible_mimikatz_activity.nwr
ioc: possible poison ivy beacon
Registered by: Poison_Ivy
ioc: possible poison ivy handshake
Registered by: Poison_Ivy
ioc: possible rdp session hijacking
Registered by: possible_rdp_session_hijacking.nwr
ioc: possible redkit
Registered by: HTTP_lua
ioc: possible sql injection
Registered by: HTTP_SQL_Injection
Description: HTTP request paramaters contain several SQL-like words or strings.
Reason: Indicative of possible SQL injection.
ioc: possible successful burpsuite scan
Registered by: DynDNS
ioc: possible zeroaccess p2p botnet
Registered by: session_analysis
ioc: potential PGV_PVID malware activity
Registered by: pvid
ioc: potential binary from duqu group
Registered by: duqu_lua
ioc: psexec remote execution
Registered by: SMB_lua
ioc: rekaf beacon
Registered by: rekaf
ioc: remote scheduled task
Registered by: DCERPC
ioc: remote service control
Registered by: DCERPC
ioc: remote thread into lsass
Registered by: remote_thread_into_lsass.nwr
ioc: runs malicious file by reputation service
Registered by: runs_malicious_file_by_reputation_service.nwr
ioc: runs powershell invoke-mimikatz function
Registered by: runs_powershell_invoke-mimikatz_function.nwr
ioc: runs suspicious file by reputation service
Registered by: runs_suspicious_file_by_reputation_service.nwr
ioc: securid cloud add admin
Registered by: securid_cloud_add_admin.nwr
ioc: securid cloud api keys added
Registered by: securid_cloud_api_keys_added.nwr
ioc: securid cloud api keys deleted
Registered by: securid_cloud_api_keys_deleted.nwr
ioc: securid cloud approve auth failure
Registered by: securid_cloud_approve_auth_failure.nwr
ioc: securid cloud approve auth success
Registered by: securid_cloud_approve_auth_success.nwr
ioc: securid cloud audit log config changed
Registered by: securid_cloud_audit_log_config_changed.nwr
ioc: securid cloud auth failure
Registered by: securid_cloud_auth_failure.nwr
ioc: securid cloud auth success
Registered by: securid_cloud_auth_success.nwr
ioc: securid cloud delete admin
Registered by: securid_cloud_delete_admin.nwr
ioc: securid cloud device register failure
Registered by: securid_cloud_device_register_failure.nwr
ioc: securid cloud device register success
Registered by: securid_cloud_device_register_success.nwr
ioc: securid cloud fido auth failure
Registered by: securid_cloud_fido_auth_failure.nwr
ioc: securid cloud fido auth success
Registered by: securid_cloud_fido_auth_success.nwr
ioc: securid cloud idr deleted
Registered by: securid_cloud_idr_deleted.nwr
ioc: securid cloud ldap auth failure
Registered by: securid_cloud_ldap_auth_failure.nwr
ioc: securid cloud ldap auth success
Registered by: securid_cloud_ldap_auth_success.nwr
ioc: securid cloud trusted location modified
Registered by: securid_cloud_trusted_location_modified.nwr
ioc: securid cloud user disabled
Registered by: securid_cloud_user_disabled.nwr
ioc: securid cloud user enabled
Registered by: securid_cloud_user_enabled.nwr
ioc: sekur handshake
Registered by: sekur
ioc: spora ransomware
Registered by: fingerprint_zip
ioc: supercmd trojan beacon
Registered by: supercmd
ioc: suspicious file by reputation service
Registered by: suspicious_file_by_reputation_service.nwr
ioc: transfers file using bits
Registered by: transfers_file_using_bits.nwr
ioc: unsigned reserved name
Registered by: unsigned_reserved_name.nwr
ioc: wmi command
Registered by: DCERPC
ioc: wmi level 1 login
Registered by: DCERPC
ioc: wmi remote query
Registered by: DCERPC
ioc: writes malicious file by reputation service
Registered by: writes_malicious_file_by_reputation_service.nwr
ioc: writes suspicious file by reputation service
Registered by: writes_suspicious_file_by_reputation_service.nwr
ioc: xor encoded executable
Registered by: xor_executable_lua
ioc: zegost
Registered by: ghost