RSA Application Rules

The following table lists all of the delivered RSA Application Rules.

For syntax and examples for application rules, see Application Rules Cheat Sheet.

Note: For content that has been discontinued, see Discontinued Content.

If you want to view only Endpoint application rules, click here: RSA Application Rules for Endpoint.

Display Name File Name Description Medium Tag
Accesses Administrative Share Using Command Shell accesses_administrative_share_using_command_shell Accessing administrative share using command shell can be an indicator of someone trying for lateral movement or privilege escalation by using hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. This rule is supported for Windows 8 and higher versions.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = accesses administrative share using command shell
endpoint "lateral movement":"windows admin shares"
Activates BITS Job activates_bits_job Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = activates bits job
endpoint "lateral movement":"remote file copy"
Adds Files To BITS Download Job adds_files_to_bits_download_job Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = adds files to bits download job
endpoint "lateral movement":"remote file copy"
Adds Firewall Rule adds_firewall_rule Adding firewall rule can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = adds firewall rule
endpoint "defense evasion":"disabling security tools"
Allocates Remote Memory allocates_remote_memory In Mac, a process not signed by Apple has allocated memory in another process. Most allocations will only occur within the same process and by processes signed by Apple. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = allocates remote memory
endpoint "defense evasion":"process injection", "privilege escalation":"process injection"
Antivirus Disabled antivirus_disabled Disabling antivirus can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = antivirus disabled
endpoint "defense evasion":"disabling security tools"
Archive Extension Mismatch nw20080 Creates meta when an archive file is detected without an archive file extension.

VERSIONS SUPPORTED
* 10.5 and higher

DEPENDENCIES
Lua Parsers:
* fingerprint_zip
* fingerprint_gzip
* fingerprint_7zip
* fingerprint_rar_lua
Feeds:
* investigation

GENERATED META KEYS
* alert.id = 'nw20080'
* analysis.session = 'archive extension mismatch'
packet "defense evasion":"masquerading"
Archive From IP Address nw20085 archive directly from an ip address with no corresponding alias.host meta. Often indicative of a second stage tool download after a foothold has been established. packet "command and control":"remote file copy"
Archiving Software Reads Multiple Documents archiving_software_reads_multiple_documents Multiple documents read could be an indication of someone creating a large archive.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = archiving software reads multiple documents
endpoint "exfiltration":"data compressed"
Attachment Overload nw00005 Rule looks for more than 4 attachments in a single session. packet "initial access":"spearphishing attachment"
Autorun autorun Indicates applications or commands that are configured to run on system startup.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun
endpoint "persistence":"registry run keys / startup folder"
Autorun Debian Package Mismatch autorun_debian_package_mismatch A hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since debian packages typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate.

VERSIONS SUPPORTED
* NetWitness Platform 11.5 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun debian package mismatch
endpoint "defense evasion":"masquerading"
Autorun File Path Not Part Of Debian Package autorun_file_path_not_part_of_debian_package Installation or updates of software on Linux systems is typically done through a debian package. Executables outside of this packing format could be considered suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.5 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun file path not part of debian package
endpoint "persistence":""
Autorun File Path Not Part Of RPM autorun_file_path_not_part_of_rpm Installation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun file path not part of rpm
endpoint "persistence":""
Autorun Invalid Signature Windows Directory autorun_invalid_signature_windows_directory This rule will return any file with an invalid signature located in the following Windows directories: C:\\ProgramData, C:\\Users\\<user>\\AppData\\Roaming, C:\\Users\\<user>\\AppData\\Local, C:\\Windows

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun invalid signature windows directory
endpoint "persistence":"registry run keys / startup folder"
Autorun Key Contains Non-Printable Characters autorun_key_contains_non-printable_characters Autorun key containing non-printable characters an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = autorun key contains non-printable characters
endpoint "persistence":"registry run keys / startup folder"
Autorun RPM Mismatch autorun_rpm_mismatch A hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate. endpoint "defense evasion":"masquerading"
Autorun Unsigned Active Setup autorun_unsigned_active_setup Active Setup is a mechanism for executing commands once per user early during login and executed by explorer.exe. To ensure persistence across reboots and log-offs attackers use active setup which is even more suspicious when it is unsigned.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned active setup
endpoint "defense evasion":"modify registry"
Autorun Unsigned AppInit_DLLs autorun_unsigned_appinit_dlls Unsigned Autorun AppInit_DLLs can be an indiaction of attacker trying to abused registry key values for DLLs to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned appinit_dlls
endpoint "persistence":"appinit dlls", "privilege escalation":"appinit dlls"
Autorun Unsigned BHO autorun_unsigned_bho BHOs can be used to monitor user browsing habits and deliver targeted advertising as well as steal information. BHOs Unsigned and configured to run on system startup are used for persistence and are suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned bho
endpoint "persistence":"browser extensions"
Autorun Unsigned BootExecute Registry Startup Method autorun_unsigned_bootexecute_registry_startup_method Unsigned Autorun BootExecute registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned bootexecute registry startup method
endpoint "persistence":"registry run keys / startup folder"
Autorun Unsigned Explorer Registry Startup Method autorun_unsigned_explorer_registry_startup_method Unsigned Autorun explorer registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned explorer registry startup method
endpoint "persistence":"registry run keys / startup folder"
Autorun Unsigned Hidden autorun_unsigned_hidden Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evasion. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned hidden
endpoint "defense evasion":"hidden files and directories", "persistence":"hidden files and directories"
Autorun Unsigned Hidden Only Executable In Directory autorun_unsigned_hidden_only_executable_in_directory This rule will return any unsigned executable file launched as an autorun which has the "Hidden" Windows Property.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned hidden only executable in directory
endpoint "defense evasion":"hidden files and directories", "persistence":"hidden files and directories", "persistence":"registry run keys / startup folder"
Autorun Unsigned IE Toolbar autorun_unsigned_ie_toolbar Toolbar can be spyware or adware which can breach privacy and steal data through browsers. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned ie toolbar
endpoint "persistence":"browser extensions"
Autorun Unsigned In AppDataLocal Directory autorun_unsigned_in_appdatalocal_directory This rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of AppData/Local/Temp on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned in appdatalocal directory
endpoint "persistence":"registry run keys / startup folder"
Autorun Unsigned In AppDataRoaming Directory autorun_unsigned_in_appdataroaming_directory This rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of AppData/Roaming on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned in appdataroaming directory
endpoint "persistence":"registry run keys / startup folder"
Autorun Unsigned In ProgramData Directory autorun_unsigned_in_programdata_directory This rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of ProgramData directory on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned in programdata directory
endpoint "persistence":"registry run keys / startup folder"
Autorun Unsigned In Temp Directory autorun_unsigned_in_temp_directory This rule looks for any registry logon autoruns (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and \\Run keys) that have actions pointing at files running out of Temp directory on Windows systems. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned in temp directory
endpoint "persistence":"registry run keys / startup folder"
Autorun Unsigned LogonType Registry Startup Method autorun_unsigned_logontype_registry_startup_method Unsigned Autorun LogonType registry startup method an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned logontype registry startup method
endpoint "persistence":"registry run keys / startup folder"
Autorun Unsigned LSA Provider autorun_unsigned_lsa_provider Windows Authentication Package (AP) DLLs are loaded by the Local Security Authority (LSA) process at system start. Attackers can introduce their own APs to control logon processes and security protocols to OS. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned lsa provider
endpoint "persistence":"authentication package"
Autorun Unsigned ServiceDLL autorun_unsigned_servicedll To evade defense, DLLs can be run as a service. This technique is used by attackers to hide the malware. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned servicedll
endpoint "persistence":"new service", "privilege escalation":"new service"
Autorun Unsigned Winlogon Helper DLL autorun_unsigned_winlogon_helper_dll This rule is looking for instance of modifications in Winlogon registry keys that may cause Winlogon to load and execute malicious unsigned DLLs. Adversaries may take advantage of this feature to load adversarial code at startup for persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = autorun unsigned winlogon helper dll
endpoint "persistence":"registry run keys / startup folder", "persistence":"winlogon helper dll"
Autorun Unsigned Winsock LSP autorun_unsigned_winsock_lsp Winsock LSP is a DLL that is loaded when a process uses Winsock API, it allows us to inject our code between the user network calls and the Winsock API, thus allowing attacker to inspect, modify, or block those network calls. To ensure persistence across reboots attackers configure to run those on system startup which is even more suspicious when it is unsigned.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = autorun unsigned winsock lsp
endpoint "defense evasion":"modify registry", "discovery":"network sniffing"
Bad Certificate Warning Disabled bad_certificate_warning_disabled Disabling bad certificate warning can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = bad certificate warning disabled
endpoint "defense evasion":"indicator blocking"
Blacklisted File blacklisted_file An analyst may mark files as blacklisted within NetWitness Endpoint. If actions on an endpoint involve those blacklisted files as the source, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = blacklisted file
endpoint "execution":""
Bozok RAT Acquisition nw90001 Detects web traffic from an internal IP address to the following URL: http://ss-rat.blogspot.com. log, packet "command and control":"remote file copy", "defense evasion":"modify registry", "credential access":"credential dumping"
Browser Runs Command Prompt browser_runs_command_prompt This will return any child processes of 'cmd.exe' that have been spawned by the the parent process of either, 'chrome.exe','iexplorer.exe','opera.exe' or 'firefox.exe'.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = browser runs command prompt
endpoint "initial access":"drive-by compromise"
Browser Runs Mshta browser_runs_mshta Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for a browser to run Mshta.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = browser runs mshta
endpoint "execution":"mshta", "defense evasion":"mshta"
Browser Runs Powershell browser_runs_powershell Browser running powershell can be an indication of someone trying to run web based malicious commands using browsers to compromise the system or the user, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = browser runs powershell
endpoint "execution":"powershell"
Builds Script Incrementally builds_script_incrementally Building script incrementally can be an indication of attacker trying to execute serias of commands using script, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = builds script incrementally
endpoint "execution":"user execution"
BYOD Mobile Web Agent Detected nw110125 Detects use of a web browsing agent for a mobile device. The following is the list of strings looked for within the "client" meta key to indicate mobile browsing: "iPad", "iPhone", "iPod", "Android", "BlackBerry", "Mobile", "Opera Mobi", "Opera Mini", "Symbian", "GoBrowser", "Minimo", "Netfront", "Skyfire", "SEMC-Browser". log, packet "":""
Cerber Ransomware nw22350 Detects a set of pay-site hosts for Cerber ransomware that correlate to embedded configuration files for the malware's set up of bitcoin wallets for each victim. This rule matches when the 'alias.host' (packet) or 'fqdn' (web logs) begins with one of the identified pay-sites.

Reference these RSA Link blog posts from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2016/09/27/the-evolution-of-cerber
https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410

Dependencies:
- (Packet) HTTP_lua parser
- (Logs) At least one web log event source - September 2016 or later release. Prior to 10.6.2, the Envision Config File from Live for the FQDN meta key configuration.

Meta Keys:
- Risk Warning = cerber ransomware
- Indicators of Compromise = cerber ransomware
log, packet "impact":"data encrypted for impact", "command and control":"multilayer encryption", "command and control":"multi-hop proxy"
Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow nw125025 Customers who deploy either Cisco IPS or SourceFire Defense Center may benefit from this log-based Application Rule written to detect indicators to CVE-2016-1287: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow.

SourceFire signature IDs utilized to detect this vulnerability are '1:36903' and '1:37674' while Cisco IPS signature IDs are 7169-0 and 7169-1.
log "impact":"network denial of service"
Clears Security Event Log clears_security_event_log Clearing security event log can be a strong indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = clears security event log
endpoint "defense evasion":"indicator removal on host"
Clears System Event Log clears_system_event_log Clearing security system log can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = clears system event log
endpoint "defense evasion":"indicator removal on host"
Cmstar Malware nw22310 Detects malicious traffic between command and control server and custom downloader cmstart variants. Either the HTTP_lua or HTTP native parser is required.

Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2015/09/30/detecting-cmstar-variants-us...
packet "command and control":"data encoding", "exfiltration":"exfiltration over command and control channel"
Combines Binaries Using Command Prompt combines_binaries_using_command_prompt Chaining binaries using command prompt can be an indication of someone trying to run multiple malicious commands needed to perform multi-stage attack to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = combines binaries using command prompt
endpoint "execution":"command-line interface"
Command Line Usage Of Archiving Software command_line_usage_of_archiving_software Use of the command line to create archive files demonstrates more advanced use of the tools and is atypical.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = command line usage of archiving software
endpoint "exfiltration":"data compressed"
Command Line Writes Script Files command_line_writes_script_files This rule will return any 'cmd.exe' or 'powershell.exe' that will write out any file with the extensions 'vbs', 'vbe', 'wsh', 'wsf', 'vb', 'cmd' or 'bat'. Scripts can be used for Defense Evasion as well as Execution by adversaries.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = command line writes script files
endpoint "execution":"command-line interface", "execution":"scripting", "defense evasion":"scripting"
Command Prompt Obfuscation command_prompt_obfuscation Command Prompt (cmd) in Windows can be used to perform a number of tasks including execution of other software. Adversaries can run obfuscated commands on cmd for execution to evade defense mechanisms. Obfuscated commands can evade signature based defenses.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = command prompt obfuscation
endpoint "execution":"command-line interface", "defense evasion":"obfuscated files or information"
Command Prompt Obfuscation Using Value Extraction command_prompt_obfuscation_using_value_extraction Command Prompt (cmd) in Windows can be used to perform a number of tasks including execution of other software. Adversaries can run obfuscated commands on cmd by extracting strings from environment variables for execution to evade defense mechanisms. Obfuscated commands can evade signature based defenses.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = command prompt obfuscation using value extraction
endpoint "execution":"command-line interface", "defense evasion":"obfuscated files or information"
Command Shell Copy Items command_shell_copy_items This will return any console event of 'cmd.exe' or 'powershell.exe' running a copy command.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = command shell copy items
endpoint "execution":"command-line interface"
Command Shell Runs Rundll32 command_shell_runs_rundll32 This will return any instance of 'cmd.exe' or 'powershell.exe' launching the Windows OS processes of 'rundll32.exe' with no arguments

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = command shell runs rundll32
endpoint "defense evasion":"rundll32", "execution":"rundll32", "execution":"powershell"
Completes BITS Download Job completes_bits_download_job Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = completes bits download job
endpoint "lateral movement":"remote file copy"
Configures Image Hijacking configures_image_hijacking Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. Value of the debugger process can be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and by continuous invocation. Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = configures image hijacking
endpoint "persistence":"image file execution options injection", "defense evasion":"image file execution options injection", "privilege escalation":"image file execution options injection"
Configures Port Redirection configures_port_redirection Configuring port redirection can be indication of adversaries can be using connection to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = configures port redirection
endpoint "command and control":"connection proxy"
Copies Binary Over Administrative Share copies_binary_over_administrative_share Administrative shares once compromised could be used to distribute malware.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = copies binary over administrative share
endpoint "lateral movement":"remote file copy"
Created In Last Month created_in_last_month Files created in the last month may be reviewed for malicious intent.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = created in last month
endpoint "":""
Creates Browser Extension creates_browser_extension Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. Malicious extensions once installed can browse to websites in the background, steal all information that a user enters into a browser and be used as an installer for a RAT for persistence. endpoint "persistence":"browser extensions"
Creates Domain User Account creates_domain_user_account Creating domain user account can be an indication of adversaries with a sufficient level of access creating a domain user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates domain user account
endpoint "persistence":"create account"
Creates Executable In Startup Directory creates_executable_in_startup_directory Creating executable in startup directory can an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = creates executable in startup directory
endpoint "persistence":"registry run keys / startup folder"
Creates Local Driver Service creates_local_driver_service Creating local driver service can be an indication of someone trying to maintain a persistent access on the system using driver services which can execute under SYSTEM privileges, modify the registry and create back

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates local driver service
endpoint "persistence":"new service"
Creates Local Service creates_local_service Creating local service can be an indication of someone trying to maintain a persistent presence on the system using local services which can modify the registry, escalate privileges and create backdoor.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = creates local service
endpoint "persistence":"new service"
Creates Local Task creates_local_task Creating local task can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = creates local task
endpoint "persistence":"scheduled task"
Creates Local User Account creates_local_user_account Creating local user account can be an indication of adversaries with a sufficient level of access creating a local user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = creates local user account
endpoint "persistence":"create account"
Creates Password-Protected Archive creates_password-protected_archive Password-protected archive files can be used to exfiltrate sensitive data since contents cannot be examined.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = creates password-protected archive
endpoint "exfiltration":"data compressed"
Creates Recursive Archive creates_recursive_archive Creating a recursive archive could be an attempt to exfiltrate many files at once.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = creates recursive archive
endpoint "exfiltration":"data compressed"
Creates Remote Process Using WMI Command-Line Tool creates_remote_process_using_wmi_command-line_tool Creating remote process using WMI command-line tool can be an indication of someone trying to use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for discovery and remote execution of files as part of Lateral Movement.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates remote process using wmi command-line tool
endpoint "execution":"windows management instrumentation"
Creates Remote Service creates_remote_service Creating remote service can be an indication of someone trying to maintain a persistent presence on the system using remote services which can modify the registry, escalate privileges and create backdoor.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates remote service
endpoint "persistence":"new service"
Creates Remote Task creates_remote_task Creating remote task can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates remote task
endpoint "persistence":"scheduled task"
Creates Run Key creates_run_key Creating new run key can be an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates run key
endpoint "persistence":"registry run keys / startup folder"
Creates Shadow Volume For Logical Drive creates_shadow_volume_for_logical_drive Creating shadow volume for logical drive can be indication of someone trying to dump credentials using shadow backup copies of systems to be able to Creates remote taskCreates remote taskgain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates shadow volume for logical drive
endpoint "credential access":"credential dumping"
Creates Suspicious Service Running Command Prompt creates_suspicious_service_running_command_prompt Creates suspicious service running command prompt can be an indication of someone trying to create and run malicious services to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = creates suspicious service running command prompt
endpoint "execution":"service execution"
CryptoShield Ransomware nw22380 CryptoShield ransomware is being distributed through sites that have been compromised so that when a visitor goes to the site, they will encounter the attack chain. Once the ransomware is executed on the victim's computer, it will generate a unique ID for the victim and an encryption key. This rule detects the upload of this key to the command and control server.

DEPENDENCIES
Lua Parsers:
* HTTP_lua
* Form_Data_lua
* traffic_flow
Feeds:
* NetWitness

GENERATED META KEYS
* ioc = cryptoshield ransomware
* inv.category = threat
* inv.context = malware, crimeware
packet "impact":"data encrypted for impact", "command and control":""
Cybergate RAT Download nw110145 Detects an internal network session download of the CyberGate RAT.A network parser that supports population of meta keys of "action" and "filename" is required.Examples of such network parsers are HTTP, FTP, IRC and NFS. packet "command and control":"standard application layer protocol", "exfiltration":"exfiltration over command and control channel"
Daserf Malware nw22315 Detects malicious inbound and outbound traffic between backdoor/malware Daserf variants and command and control server domain over HTTP. The HTTP_lua parser is a required dependency.

Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/09/28/detecting-daserf-variants-us...
packet "command and control":"data encoding", "exfiltration":"exfiltration over command and control channel", "exfiltration":"data encrypted", "command and control":"standard application layer protocol"
Debian Package Hash Mismatch debian_package_hash_mismatch A hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since debian packages typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate.

VERSIONS SUPPORTED
* NetWitness Platform 11.5 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = debian package hash mismatch
endpoint "defense evasion":"masquerading"
Debian Package Hash Mismatch In Important System Directory debian_package_hash_mismatch_in_important_system_directory A hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since debian packages typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate.

VERSIONS SUPPORTED
* NetWitness Platform 11.5 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = debian package hash mismatch in important system directory
endpoint "defense evasion":"masquerading"
Deletes Backup Catalog deletes_backup_catalog Deleting backup catalog can be an indication of someone is trying to remove files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = deletes backup catalog
endpoint "defense evasion":"file deletion"
Deletes Firewall Rule deletes_firewall_rule Deleting firewall rule can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = deletes firewall rule
endpoint "defense evasion":"disabling security tools"
Deletes Shadow Volume Copies deletes_shadow_volume_copies Deleting shadow volume copies can be an indication of someone is trying to removefiles over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = deletes shadow volume copies
endpoint "defense evasion":"file deletion"
Deletes USN Change Journal deletes_usn_change_journal Deleting USN change journal can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = deletes usn change journal
endpoint "defense evasion":"indicator removal on host"
Disables Firewall disables_firewall Disabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = disables firewall
endpoint "defense evasion":"disabling security tools"
Disables Security Service disables_security_service Disabling security service can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = disables security service
endpoint "defense evasion":"disabling security tools"
Disables Startup Repair disables_startup_repair Disabling startup repair can be an indication of someone is trying to remove files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = disables startup repair
endpoint "defense evasion":"file deletion"
Disables UAC disables_uac Event viewer executing uncommon binary can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = disables uac
endpoint "privilege escalation":"bypass user account control"
Disables UAC Remote Restrictions disables_uac_remote_restrictions Disabling UAC remote restrictions can be an attempt to bypass Windows User Account Control (UAC). Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = disables uac remote restrictions
endpoint "privilege escalation":"bypass user account control"
Disables Windows Defender Using Powershell disables_windows_defender_using_powershell Disabling windows defender using powershell can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = disables windows defender using powershell
endpoint "defense evasion":"disabling security tools"
DNS Hostnames Resolving Non-Routable IP nw30010 DNS names that resolve to non-routable IP address. Often used on parked domains. packet "":""
DNS Over Non-Standard Port nw60005 DNS traffic over ports other than udp 53 packet "command and control":"uncommonly used port"
Downloads Binary Using Certutil downloads_binary_using_certutil Windows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Downloading binary using certutil can be an indication of someone trying to download malicious code to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = downloads binary using certutil
endpoint "execution":"user execution"
Dreambot Malware nw22375 The Dreambot is a banking trojan spreading via exploit kits and spam e-mails with tor communication and peer-to-peer functionality. This rule detects outbound beaconing activity from infected host.

DEPENDENCIES
Lua Parsers:
* HTTP Lua
* Traffic Flow Lua
Feeds:
* NetWitness

GENERATED META KEYS
* ioc = dreambot malware
* inv.category = threat
* inv.context = malware, crimeware
packet "command and control":"multilayer encryption", "command and control":"multi-hop proxy", "exfiltration":"exfiltration over command and control channel"
Drops Credential Dumping Tools drops_credential_dumping_tools Dropping credential dumping tools can be indication of someone trying to bypass all credentials checks to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = drops credential dumping library
endpoint "credential access":"credential dumping"
Dumps DNS Cache dumps_dns_cache Dumping DNS cache can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = dumps dns cache
endpoint "discovery":"system network connections discovery"
Dyld Inserted dyld_inserted macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = dyld inserted
endpoint "persistence":"dylib hijacking", "privilege escalation":"dylib hijacking"
Dyzap Malware nw22365 Dyzap has the ability to steal usernames and passwords of email, banking and social media accounts. Once the malware infects a victim machine, it starts sending data to its command and control server via an HTTP POST request. This rule detects a variant seen spreading through phishing email messages.
Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2016/11/18/detecting-a-dyzap-variant-us...
The HTTP_lua and traffic_flow parser are required.
packet "exfiltration":"exfiltration over command and control channel", "command and control":"standard application layer protocol"
Enables Cleartext Credential Storage enables_cleartext_credential_storage Enabling cleartext credential storage can be indication of someone trying to exploit these credentials to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = enables cleartext credential storage
endpoint "credential access":"credential dumping"
Enables Login Bypass enables_login_bypass Accessibility features that may be launched with a key combination before a user has logged in . Enabling login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = enables login bypass
endpoint "persistence":"accessibility features", "privilege escalation":"accessibility features"
Enables RDP From Command-Line enables_rdp_from_command-line Enabling RDP from command-line can be indication of adversaries trying to connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence or perform RDP session hijacking which involves stealing a legitimate user's remote session.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enables rdp from command-line
endpoint "lateral movement":"remote desktop protocol"
Enumerates ARP Table enumerates_arp_table Enumeration of ARP table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates arp table
endpoint "discovery":"system network configuration discovery"
Enumerates Available Systems On Network enumerates_available_systems_on_network Enumeration of available systems on network can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates available systems on network
endpoint "discovery":"remote system discovery"
Enumerates Domain Account Policy enumerates_domain_account_policy Enumeration of domain account policy can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates domain account policy
endpoint "discovery":"system information discovery"
Enumerates Domain Administrators enumerates_domain_administrators Enumeration of domain administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates domain administrators
endpoint "discovery":"account discovery"
Enumerates Domain Computers enumerates_domain_computers Enumeration of domain computers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates domain computers
endpoint "discovery":"remote system discovery"
Enumerates Domain Controllers enumerates_domain_controllers Enumeration of domain controllers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates domain controllers
endpoint "discovery":"remote system discovery"
Enumerates Domain Groups enumerates_domain_groups Enumeration of domain groups can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates domain groups
endpoint "discovery":"account discovery"
Enumerates Domain Users enumerates_domain_users Enumeration of domain users can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates domain users
endpoint "discovery":"account discovery"
Enumerates Enterprise Administrators enumerates_enterprise_administrators Enumeration of enterprise administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates enterprise administrators
endpoint "discovery":"account discovery"
Enumerates Exchange Domain Servers enumerates_exchange_domain_servers Enumeration of exchange domain servers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates exchange domain servers
endpoint "discovery":"remote system discovery"
Enumerates Exchange Servers enumerates_exchange_servers Enumeration of exchange servers can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates exchange servers
endpoint "discovery":"remote system discovery"
Enumerates IP Configuration enumerates_ip_configuration Enumeration of IP configuration can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates ip configuration
endpoint "discovery":"system network configuration discovery"
Enumerates Local Account Policy enumerates_local_account_policy Enumeration of local account policy can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates local account policy
endpoint "discovery":"system information discovery"
Enumerates Local Administrators enumerates_local_administrators Enumeration of local administrators can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates local administrators
endpoint "discovery":"account discovery"
Enumerates Local Administrators On Domain Controller enumerates_local_administrators_on_domain_controller Enumeration of local administrators on domain controller can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates local administrators on domain controller
endpoint "discovery":"account discovery"
Enumerates Local Groups enumerates_local_groups Enumeration of local groups can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates local groups
endpoint "discovery":"account discovery"
Enumerates Local Services enumerates_local_services Enumeration of local services can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates local services
endpoint "discovery":"system information discovery"
Enumerates Local Users enumerates_local_users Enumeration of local users can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates local users
endpoint "discovery":"account discovery"
Enumerates Logical Disk enumerates_logical_disk Enumeration of logical disk can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates logical disk
endpoint "discovery":"system information discovery"
Enumerates Mapped Resources enumerates_mapped_resources Enumeration of mapped resources can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates mapped resources
endpoint "discovery":"system network connections discovery"
Enumerates Network Connections enumerates_network_connections Enumeration of network connections can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates network connections
endpoint "discovery":"system network connections discovery"
Enumerates Primary Domain Controller enumerates_primary_domain_controller Enumeration of primary domain controller can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates primary domain controller
endpoint "discovery":"remote system discovery"
Enumerates Processes On Local System enumerates_processes_on_local_system Enumeration of processes on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates processes on local system
endpoint "discovery":"process discovery"
Enumerates Processes On Remote System enumerates_processes_on_remote_system Enumeration of processes on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates processes on remote system
endpoint "discovery":"process discovery"
Enumerates Remote Netbios Name Table enumerates_remote_netbios_name_table Enumeration of remote netbios name table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates remote netbios name table
endpoint "discovery":"system network configuration discovery"
Enumerates Remote Resources enumerates_remote_resources Enumeration of remote resources can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates remote resources
endpoint "discovery":"network share discovery"
Enumerates Route Table enumerates_route_table Enumeration of routing table can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates route table
endpoint "discovery":"system network configuration discovery"
Enumerates Services Hosted In Processes enumerates_services_hosted_in_processes Enumeration of services hosted in processes can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = enumerates services hosted in processes
endpoint "discovery":"system information discovery"
Enumerates System Info enumerates_system_info Enumeration of system information can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates system info
endpoint "discovery":"system information discovery"
Enumerates Trusted Domains enumerates_trusted_domains Enumeration of trusted domains can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = enumerates trusted domains
endpoint "discovery":"remote system discovery"
Etc Password Get Request nw50005 Detects a get request for "/etc/passwd" log, packet "credential access":"credential dumping", "credential access":"credentials in files"
Etc Shadow Get Request nw50010 Detects attempted get request for /etc/shadow log, packet "credential access":"credential dumping", "credential access":"credentials in files"
Evasive Powershell Used Over Network evasive_powershell_used_over_network This rule will trigger when PowerShell with evasive options will be detected through a network event. Automated tools like PowerShell Empire run evasive remote PowerShell commands through network. Adversaries can use such technique for execution while evading defenses.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = evasive powershell used over network
endpoint "execution":"powershell", "defense evasion":""
Event Viewer Executes Uncommon Binary event_viewer_executes_uncommon_binary Event viewer executing uncommon binary can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = event viewer executes uncommon binary
endpoint "privilege escalation":"bypass user account control"
exe filetype but not exe extension exe_filetype_but_not_exe_extension An executable was detected in the session but no filename with an "exe" extension was seen in the same session. packet "defense evasion":"masquerading"
Executable In ADS executable_in_ads Leveraging Alternate Data Streams can be a way to mask a malicious file inside a data stream of another binary, which can then be executed by launching the file it is forked into endpoint "defense evasion":"ntfs file attributes"
Execute DLL Through Rundll32 execute_dll_through_rundll32 Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = execute dll through rundll32
endpoint "execution":"rundll32", "defense evasion":"rundll32"
Explorer Public Folder DLL Load explorer_public_folder_dll_load This rule will return hits from 'explorer.exe' launching the Windows OS process 'rundll32.exe' that leverages the folders "Public\\Libraries" or 'ClassWindow'

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = explorer public folder dll load
endpoint "execution":"rundll32", "defense evasion":"rundll32"
Exports Sensitive Registry Hive exports_sensitive_registry_hive Exporting sensitive registry hive can be indication of someone trying to exploit these credentials and registry values to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = exports sensitive registry hive
endpoint "credential access":"credential dumping"
Extracts Password-Protected Archive extracts_password-protected_archive Password-protected archive files can be used to secure sensitive data since contents cannot be examined.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = extracts password-protected archive
endpoint "exfiltration":"data compressed"
File Encrypted file_encrypted File is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = file encrypted
endpoint "exfiltration":"data encrypted"
File Hidden file_hidden To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = file hidden
endpoint "persistence":"hidden files and directories", "defense evasion":"hidden files and directories"
File Path Not Part Of Debian Package file_path_not_part_of_debian_package Installation or updates of software on Linux systems is typically done through a debian package. Executables outside of this packing format could be considered suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.5 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = file path not part of debian package
endpoint "execution":""
File Path Not Part Of Debian Package In Important System Directory file_path_not_part_of_debian_package_in_important_system_directory Installation or updates of software on Linux systems is typically done through an debian packages. Executables outside of this packing format could be considered suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.5 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = file path not part of debian package in important system directory
endpoint "execution":""
File Path Not Part Of RPM file_path_not_part_of_rpm Installation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = file path not part of rpm
endpoint "execution":""
File Path Not Part Of RPM In Important System Directory file_path_not_part_of_rpm_in_important_system_directory Installation or updates of software on Linux systems is typically done through an RPM. Executables outside of this packing format could be considered suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = file path not part of rpm in important system directory
endpoint "execution":""
File Transport over ICMP nw110025 Detects files transported over ICMP. log, packet "":""
File Transport Over Unknown Protocol nw110030 Detects files transported over unknown protocols. packet "":""
File Vault Disabled file_vault_disabled FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. Disabling this feature will decrypt the information on your startup disk. endpoint "defense evasion":"disabling security tools"
Filter Adobe Updates nw140050 Filters executables associated with Adobe Updates packet "":""
Filter Google Updates nw140020 Filters executable updates for google tools packet "":""
Filter Intel Updates nw140035 Filters executables associated with Intel Updates packet "":""
Filter Java Updates nw140015 Filters executables involved with java updates packet "":""
Filter Macromedia Updates nw140030 Filters macromedia update executables packet "":""
Filter Mcafee Updates nw140045 Filters executables associated with Mcafee updates packet "":""
Filter Skype Updates nw140010 Filters skype update executables. packet "":""
Filter Symantec Updates nw140025 Filters Symantec Update executables packet "":""
Filter VMWare Updates nw140040 Filters executables associated with VMWare Updates packet "":""
Filter Windows Updates nw140005 Filters executable downloads from Windows Update. packet "":""
Floating Module floating_module Detects a floating code module as a result of DLL injection. This may result in an attacker gaining access to internal resources, escalating privileges or disguising malicious behavior under a legitimate process. endpoint "defense evasion":"process injection"
Floating Module And Hooking floating_module_and_hooking Detects floating code as a result of hooking. The attacker masks malicious behavior under the process. endpoint "defense evasion":"process injection"
Floating Module In Browser Process floating_module_in_browser_process Detects a floating code module as a result of DLL injection. The attacker masks malicious behavior under the legitimate browser process. endpoint "defense evasion":"process injection"
Floating Module In OS Process floating_module_in_os_process Detects a floating code module as a result of DLL injection. The attacker masks malicious behavior under the legitimate OS process. endpoint "defense evasion":"process injection"
Gatekeeper Disabled gatekeeper_disabled Gatekeeper is a security feature of the Mac OS operating system. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. endpoint "defense evasion":"gatekeeper bypass"
Gets Current User As SYSTEM gets_current_user_as_system Trying to find current user as SYSTEM can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = gets current user as system
endpoint "discovery":"system owner/user discovery"
Gets Current Username gets_current_username Trying to find current username information can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = gets current username
endpoint "discovery":"system owner/user discovery"
Gets Current Username And Group Information gets_current_username_and_group_information Trying to find current username and group information can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = gets current username and group information
endpoint "discovery":"system owner/user discovery"
Gets Hostname gets_hostname Enumeration of hostnames can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = gets hostname
endpoint "discovery":"system information discovery"
Gets Remote Time gets_remote_time getting remote time can be an indication of someone trying to gather information that could be useful for performing other techniques, such as executing a file with a Scheduled Task, or to discover locality information based on time zone to assist in victim targeting.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = gets remote time
endpoint "discovery":"system time discovery"
GINA Replacement gina_replacement GINA is the Graphical Identification and Authentication component of Windows and handles the logon screen that we're all familiar with. GINA DLL can be replaced with another DLL to intercept credentials.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = gina replacement
endpoint "persistence":"winlogon helper dll"
Graylisted File graylisted_file An analyst may mark files as graylisted within NetWitness Endpoint. If actions on an endpoint involve those graylisted files as the source, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = graylisted file
endpoint "execution":""
Hidden And Hooking hidden_and_hooking Hooking may be used to intercept and execute code in response to events. If the file is hidden, this could indicate an attempt is being made to evade detection by an attacker.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = hidden and hooking
endpoint "persistence":"hooking", "defense evasion":"hidden files and directories", "persistence":"hidden files and directories"
Hidden In AppData hidden_in_appdata Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. endpoint "defense evasion":"hidden files and directories"
Hidden Plist And Autorun hidden_plist_and_autorun plist (Property List) is a flexible and convenient format for storing application data. Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hidden plist and autorun
endpoint "persistence":"hidden files and directories"
Hidden Running As Root hidden_running_as_root A file is typically hidden to prevent users from accidentally changing them on a filesystem. A hidden file running with root privileges may indicate an attacker behavior to evade detection and install malware to maintain persistence. endpoint "defense evasion":"hidden files and directories"
High Risk File From Blacklisted Host nw20065 Executable download from a host on a blacklist feed. packet "execution":""
Hooks Audio Output Function hooks_audio_output_function A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks audio output function
endpoint "persistence":"hooking"
Hooks Authentication Function hooks_authentication_function A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks authentication function
endpoint "persistence":"hooking"
Hooks Crypto Function hooks_crypto_function A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks crypto function
endpoint "persistence":"hooking"
Hooks DnsQuery Function hooks_dnsquery_function A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks dnsquery function
endpoint "persistence":"hooking"
Hooks GUI Function hooks_gui_function A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks gui function
endpoint "persistence":"hooking"
Hooks Network HTTP Function hooks_network_http_function A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks network http function
endpoint "persistence":"hooking"
Hooks Network IO Function hooks_network_io_function A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks network io function
endpoint "persistence":"hooking"
Hooks NtLdr Function hooks_ntldr_function A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks ntldr function
endpoint "persistence":"hooking"
Hooks Registry Access Function hooks_registry_access_function A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks registry access function
endpoint "persistence":"hooking"
Hooks Registry Enumeration Function hooks_registry_enumeration_function A hook is a process which can intercept actions from an application such as keystrokes, networking and files. These intercepted functions fall to a hook procedure, which can then change or reject the event.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = hooks registry enumeration function
endpoint "persistence":"hooking"
HTTP Daemon Runs Command Prompt http_daemon_runs_command_prompt HTTP daemon running command prompt can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = http daemon runs command prompt
endpoint "persistence":"web shell"
HTTP Daemon Runs Powershell http_daemon_runs_powershell HTTP daemon running powershell can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = http daemon runs powershell
endpoint "persistence":"web shell"
HTTP Daemon Runs Reconnaissance Tool http_daemon_runs_reconnaissance_tool HTTP daemon running reconnaissance tool can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = http daemon runs reconnaissance tool
endpoint "persistence":"web shell"
HTTP Daemon Writes Executable http_daemon_writes_executable HTTP daemon running writing executable can be an indication of web shell trying to run malicious commands which may may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = http daemon writes executable
endpoint "persistence":"web shell"
HTTP over Non-Standard Port nw60020 http traffic over a port other than 80 packet "command and control":"uncommonly used port"
HttpBrowser Malware nw22325 Detects malicious outbound traffic between HttpBrowser Malware variants and command and control server. Either the HTTP_lua or HTTP native parser is required.
Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/02/10/detecting-httpbrowser-varian...
packet "exfiltration":"exfiltration over command and control channel", "command and control":""
IE DEP Disabled ie_dep_disabled Disabling IE DEP can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = ie dep disabled
endpoint "defense evasion":"disabling security tools"
IE Enhanced Security Disabled ie_enhanced_security_disabled Disabling IE enhanced security can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = ie enhanced security disabled
endpoint "defense evasion":"disabling security tools"
In AppData Directory in_appdata_directory These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in appdata directory
endpoint "defense evasion":"hidden files and directories"
In Hidden Directory in_hidden_directory To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in hidden directory
endpoint "defense evasion":"hidden files and directories"
In Recycle Bin Directory in_recycle_bin_directory A file found in recycle bin directory may be suspicious. endpoint "defense evasion":"hidden files and directories"
In Root Of AppDataLocal Directory in_root_of_appdatalocal_directory These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in root of appdatalocal directory
endpoint "defense evasion":"hidden files and directories"
In Root Of AppDataRoaming Directory in_root_of_appdataroaming_directory These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in root of appdataroaming directory
endpoint "defense evasion":"hidden files and directories"
In Root Of Logical Drive in_root_of_logical_drive While the majority of programs are stored in folders on a system, it is uncommon to see a binary in the root of for example, "C:" directory.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = in root of logical drive
endpoint "execution":""
In Root Of Program Directory in_root_of_program_directory These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in root of program directory
endpoint "execution":""
In Root Of Users Directory in_root_of_users_directory These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = in root of users directory
endpoint "execution":""
In System Volume Information Directory in_system_volume_information_directory

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in system volume information directory
endpoint "defense evasion":"hidden files and directories"
In Temporary Directory in_temporary_directory These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = in temporary directory
endpoint "execution":""
In Uncommon Directory in_uncommon_directory A file found in an uncommon directory may be suspicious. endpoint "execution":"user execution"
Installs Root Certificate installs_root_certificate Installing root certificate on a compromised system can be an indication of an adversary trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = installs root certificate
endpoint "defense evasion":"install root certificate"
Invalid Signature invalid_signature This indicates that code may have been altered or corrupted since it was signed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = invalid signature
endpoint "execution":""
IRC File Transfer nw00015 Rules looks for file transfers via IRC packet "":""
Kext Signature Validation Disabled kext_signature_validation_disabled Kext signature validation is a code signing requirement for all extensions and drivers located in the extensions folder. Disabling that feature may expose the system to unsigned rootkits or other malware. endpoint "defense evasion":"code signing"
KeyBase Keylogger nw22340 Detects malicious outbound traffic between KeyBase Keylogger and command and control server. Either the HTTP_lua or HTTP native parser and traffic_flow parser is required.
Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2015/06/25/detecting-keybase-variants-u...
packet "collection":"input capture", "exfiltration":"exfiltration over command and control channel"
Large Outbound Encrypted session nw110045 Detects an Outbound encrypted session where the data size is greater than 5MB. packet "exfiltration":"data encrypted"
Large Outbound Session nw110060 Detects outbound session (encrypted or non-encrypted) where the data size is greater than 5MB.

DEPENDENCIES
Lua Parsers:
* traffic_flow
Feeds:
* Investigation
* Hunting

GENERATED META KEYS
*boc = large outbound data transfer
*inv.category = assurance
*inv.context = compliance, corporate
packet "exfiltration":""
Lateral Movement With Credentials Using Net Utility lateral_movement_with_credentials_using_net_utility This rule is looking for instance of 'net use' being leveraged with username and/or passwords being passed. This technique is leveraged when attackers gain access to a network and obtain credentials to use to laterally move from system to system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc =lateral movement with credentials using net utility
endpoint "lateral movement":"windows admin shares"
LD Preload ld_preload Environment variables can be used to dynamically load a library in a process which can be used to intercept API calls from the running process. endpoint "defense evasion":"process injection"
Library Preferences Directory library_preferences_directory "Adversaries can use list of specific applications to run when a user logs in. These login items are stored in the users ~/Library/Preferences/ directory in a plist file called com.apple.loginitems.plist

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = library preferences directory"
endpoint "persistence":"login item"
Lists Anti-Spyware Products lists_anti-spyware_products Listing anti-spyware products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = lists anti-spyware products
endpoint "discovery":"security software discovery"
Lists Antivirus Products lists_antivirus_products Listing antivirus products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = lists antivirus products
endpoint "discovery":"security software discovery"
Lists Firewall Products lists_firewall_products Listing firewall products can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = lists firewall products
endpoint "discovery":"security software discovery"
Locky Malware nw22355 Detects malicious outbound traffic between a system infected with Locky Ransomware and command and control server.

REFERENCES
Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2016/10/03/nemucod-and-locky

DEPENDENCIES
Lua Parsers
* HTTP_lua
* traffic_flow
Feeds
* NetWitness

GENERATED META KEYS
* ioc = locky malware
* inv.category = threat
* inv.context = malware, crimeware
packet "impact":"data encrypted for impact", "command and control":"standard application layer protocol"
Login Bypass Configured login_bypass_configured Accessibility features that may be launched with a key combination before a user has logged in . A login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = login bypass configured
endpoint "persistence":"accessibility features", "privilege escalation":"accessibility features", "privilege escalation":"image file execution options injection", "persistence":"image file execution options injection", "defense evasion":"image file execution options injection"
LSASS Access lsass_access Detects suspicious access to lsass.exe through sysmon logs. This process access indicates probable credential dumping.

DEPENDENCIES
Log Parsers:
* At least one of the Windows log device parsers
Feeds:
* Investigation

GENERATED META KEYS
* ioc = lsass access
* inv.category = identity, threat
* inv.context = attack phase, action on objectives, lateral movement
log "credential access":"credential dumping", "execution":"lsass driver", "persistence":"lsass driver"
LUA Disabled lua_disabled Windows User Account Controls (UAC) will not notify the user when programs try to make changes to the computer. UAC was formerly known as Limited User Account (LUA). This can be an attempt to bypass UAC.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = lua disabled
endpoint "defense evasion":"bypass user account control", "privilege escalation":"bypass user account control"
Mac Firewall Disabled mac_firewall_disabled Disabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. endpoint "defense evasion":"disabling security tools"
Malicious File By Reputation Service malicious_file_by_reputation_service Files reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = malicious file by reputation service
endpoint "execution":""
Maps Administrative Share maps_administrative_share Mapping administrative share can be an indicator of someone trying for lateral movement or privilege escalation by using hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions endpoint "lateral movement":"windows admin shares"
Maps IPC$ Share maps_ipc$_share Mapping IPC$ share can be an indicator of someone trying for lateral movement or privilege escalation by using hidden IPC$ shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = maps ipc$ share
endpoint "lateral movement":"windows admin shares"
Mirage Malware nw22305 Detects malicious outbound traffic due to installation of Mirage malware. The HTTP_lua parser is a required dependency.

Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2015/11/10/detecting-mirage-variants-us...
packet "command and control":"data encoding", "command and control":"standard application layer protocol", "command and control":"custom cryptographic protocol", "exfiltration":"data encrypted", "exfiltration":"exfiltration over command and control channel"
Misleading File Extension misleading_file_extension Misleading file extension can be an indication of someone pretending to be an authorized file extension in order to gain access or to gain greater privileges than authorized.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = misleading file extension
endpoint "defense evasion":"masquerading"
Modifies Registry Using Command-Line Registry Tool modifies_registry_using_command-line_registry_tool Modifying registry using command-line registry tool can be an indication of adversaries trying to interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = modifies registry using command-line registry tool
endpoint "defense evasion":"modify registry"
Modifies Run Key modifies_run_key Modifying run key can be an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = modifies run key
endpoint "persistence":"registry run keys / startup folder"
Modifies Shell-Open-Command File Association modifies_shell-open-command_file_association File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access. Modifying shell-open-command file association can be an attempt to execute arbitrary commands in order to maintain persistence and remain undetected.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = modifies shell-open-command file association
endpoint "persistence":"change default file association"
Mshta Runs Command Prompt mshta_runs_command_prompt Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run a command prompt.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = mshta runs command prompt
endpoint "execution":"mshta", "defense evasion":"mshta"
Mshta Runs Powershell mshta_runs_powershell Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run powershell.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = mshta runs powershell
endpoint "execution":"mshta", "defense evasion":"mshta"
Mshta Runs Scripting Engine mshta_runs_scripting_engine Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to execute a scripting engine.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = mshta runs scripting engine
endpoint "execution":"mshta", "defense evasion":"mshta"
Mshta Writes Executable mshta_writes_executable Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to write an executable.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = mshta writes executable
endpoint "execution":"mshta", "defense evasion":"mshta"
Named Pipe into LSASS named_pipe_into_lsass Detects when a suspicious Named Pipe is created or connected to target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping.

DEPENDENCIES
Log Parsers:
* At least one of the Windows log device parsers
Feeds:
* Investigation

GENERATED META KEYS
* ioc = named pipe into lsass
* inv.category = identity, threat
* inv.context = attack phase, action on objectives, lateral movement
log "credential access":"credential dumping", "execution":"lsass driver", "persistence":"lsass driver"
NetTraveler Malware nw22345 Detects malicious outbound traffic between Malware NetTraveler and command and control server. Either the HTTP_lua or HTTP native parser and traffic_flow parser is required.
Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/thread/185492
packet "collection":"data from information repositories", "collection":"data from local system", "exfiltration":"exfiltration over command and control channel", "exfiltration":"data encrypted", "command and control":"data encoding"
Network Access network_access A process is trying to get network access.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = network access
endpoint "command and control":""
NGINX HTTP Server nw30015 Detects web servers running nginx, which is often used for malicious purposes. log, packet "":""
No Antivirus Notification Disabled no_antivirus_notification_disabled Disabling no antivirus notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = no antivirus notification disabled
endpoint "defense evasion":"indicator blocking"
No Firewall Notification Disabled no_firewall_notification_disabled Disabling no firewall notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = no firewall notification disabled
endpoint "defense evasion":"indicator blocking"
No UAC Notification Disabled no_uac_notification_disabled Disabling no UAC notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = no uac notification disabled
endpoint "defense evasion":"indicator blocking"
No Windows Update Notification Disabled no_windows_update_notification_disabled Disabling no Windows update notification can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = no windows update notification disabled
endpoint "defense evasion":"indicator blocking"
Non-Microsoft Modifies Bad Certificate Warning Setting non-microsoft_modifies_bad_certificate_warning_setting Non-Microsoft modifing bad certificate warning setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies bad certificate warning setting
endpoint "defense evasion":"disabling security tools"
Non-Microsoft Modifies Firewall Policy non-microsoft_modifies_firewall_policy Non-Microsoft modifing firewall policy can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies firewall policy
endpoint "defense evasion":"disabling security tools"
Non-Microsoft Modifies Internet Zone Setting non-microsoft_modifies_internet_zone_setting Adding firewall rule can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies internet zone setting
endpoint "defense evasion":"disabling security tools"
Non-Microsoft Modifies LUA Setting non-microsoft_modifies_lua_setting Non-Microsoft modifing LUA setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies lua setting
endpoint "defense evasion":"disabling security tools"
Non-Microsoft Modifies Registry Editor Setting non-microsoft_modifies_registry_editor_setting Non-Microsoft modifing registry editor setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies registry editor setting
endpoint "defense evasion":"disabling security tools"
Non-Microsoft Modifies Security Center Config non-microsoft_modifies_security_center_config Non-Microsoft modifing security center config can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies security center config
endpoint "defense evasion":"disabling security tools"
Non-Microsoft Modifies Services ImagePath non-microsoft_modifies_services_imagepath Non-Microsoft modifing services ImagePath can be an indication of someone trying to modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies services imagepath
endpoint "persistence":"modify existing service"
Non-Microsoft Modifies Task Manager Setting non-microsoft_modifies_task_manager_setting Non-Microsoft modifing task manager setting can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies task manager setting
endpoint "defense evasion":"disabling security tools"
Non-Microsoft Modifies Windows System Policy non-microsoft_modifies_windows_system_policy Non-Microsoft modifieing windows system policy can be an indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies windows system policy
endpoint "defense evasion":"disabling security tools"
Non-Microsoft Modifies Zone Crossing Warning Setting non-microsoft_modifies_zone_crossing_warning_setting Non-Microsoft modifing zone crossing warning setting can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = non-microsoft modifies zone crossing warning setting
endpoint "defense evasion":"disabling security tools"
Non-Standard Port Use - DHCP nw60035 Identifies dhcp traffic over a port that is not typically used for dhcp packet "command and control":"uncommonly used port"
Non-Standard Port Use - FTP nw60015 ftp over ports other than TCP 21 packet "command and control":"uncommonly used port"
Non-Standard Port Use - H323 nw60095 Identifies h323 traffic over a port that is not typically used for h323. packet "command and control":"uncommonly used port"
Non-Standard Port Use - IRC nw60110 Identifies irc traffic over a port that is not typically used for irc. packet "command and control":"uncommonly used port"
Non-Standard Port Use - NetBios nw60060 Identifies netbios traffic over a port that is not typically used for netbios. packet "command and control":"uncommonly used port"
Non-Standard Port Use - NNTP nw60050 Identifies nntp traffic over a port that is not typically used for nntp. packet "command and control":"uncommonly used port"
Non-Standard Port Use - POP3 nw60045 Identifies pop3 traffic over a port that is not typically used for pop3. packet "command and control":"uncommonly used port"
Non-Standard Port Use - RIP nw60080 Identifies rip traffic over a port that is not typically used for rip. packet "command and control":"uncommonly used port"
Non-Standard Port Use - RPC nw60055 Identifies rpc traffic over a port that is not typically used for rpc. packet "command and control":"uncommonly used port"
Non-Standard Port Use - RTP nw60100 Identifies rto traffic over a port that is not typically used for rtp. packet "command and control":"uncommonly used port"
Non-Standard Port Use - SIP nw60105 Identifies sip traffic over a port that is not typically used for sip packet "command and control":"uncommonly used port"
Non-Standard Port Use - SMB nw60065 Identifies smb traffic over a port that is not typically used for smb. packet "command and control":"uncommonly used port"
Non-Standard Port Use - SMTP nw60030 Identifies smtp traffic over a port that is not typically used for smtp. packet "command and control":"uncommonly used port"
Non-Standard Port Use - SNMP nw60070 Identifies snmp traffic over a port that is not typically used for snmp. packet "command and control":"uncommonly used port"
Non-Standard Port Use - SSH nw60025 Identifies ssh traffic over a port that is not typically used for ssh. packet "command and control":"uncommonly used port"
Non-Standard Port Use - SSL nw60075 Identifies ssl traffic over a port that is not typically used for ssl. packet "command and control":"uncommonly used port"
Non-Standard Port Use - TDS nw60085 Identifies tds traffic over a port that is not typically used for tds. packet "command and control":"uncommonly used port"
Non-Standard Port Use - Telnet nw60010 telnet over ports other than TCP 23 packet "command and control":"uncommonly used port"
Non-Standard Port Use - TFTP nw60040 Identifies tftp traffic over a port that is not typically used for tftp. packet "command and control":"uncommonly used port"
Non-Standard Port Use - TNS nw60090 Identifies tns traffic over a port that is not typically used for tns. packet "command and control":"uncommonly used port"
NTDSXTRACT Tool Download nw110130 Detects an internal network session download of NTDSXTRACT. NTDSXTRACT is a tool framework for extracting data from the active directory database file NTDS.DIT.At least one of the network parsers supporting meta of action and filename is required,which may include HTTP, FTP, IRC and NFS. packet "credential access":"credential dumping"
NTP DDoS Attack 234-byte Request: Netflow nw50032 10.4 or higher.Detects UDP/123 traffic with a 234-byte payload over Netflow. This is indicative of an NTP request generated by a monlist command. log "impact":"network denial of service"
NTP DDoS Attack 234-byte Request: Packets nw50022 Detects UDP/123 traffic with a 234-byte payload. This is indicative of an NTP request generated by a monlist command. packet "impact":"network denial of service"
NTP DDoS Attack 50-byte Request: Netflow nw50030 10.4 or higher.Detects UDP/123 traffic with a 50-byte payload over Netflow. This is indicative of a potential NTP DDoS attack tool. log "impact":"network denial of service"
NTP DDoS Attack 50-byte Request: Packets nw50020 Detects UDP/123 traffic with a 50-byte payload. This is indicative of a potential NTP DDoS attack tool. packet "impact":"network denial of service"
NTP DDoS Attack 60-byte Request: Netflow nw50031 10.4 or higher.Detects UDP/123 traffic with a 60-byte payload over NetFlow. This is indicative of the NTP request size initiated by the ntpdos.py attack script. log "impact":"network denial of service"
NTP DDoS Attack 60-byte Request: Packets nw50021 Detects UDP/123 traffic with a 60-byte payload. This is indicative of the NTP request size initiated by the ntpdos.py attack script. packet "impact":"network denial of service"
NWFL_access:data-access NWFL_DataAccess NWFL App Rule to support Informer Reports log "":""
NWFL_access:privilege-escalation-failure NWFL_PrivEscalateFail NWFL App Rule to support Informer Reports log "privilege escalation":""
NWFL_access:privilege-escalation-success NWFL_PrivEscalateSuccess NWFL App Rule to support Informer Reports log "privilege escalation":""
NWFL_access:remote-failure NWFL_RemoteAccessFail NWFL App Rule to support Informer Reports log "initial access":""
NWFL_access:remote-success NWFL_RemoteAccessSuccess NWFL App Rule to support Informer Reports log "initial access":""
NWFL_access:user-access-revoked NWFL_UserAccessRevoke NWFL App Rule to support Informer Reports log "credential access":"account manipulation"
NWFL_account:account-disabled NWFL_AccountDisabled NWFL App Rule to support Informer Reports log "credential access":"account manipulation"
NWFL_account:auth-success NWFL_AuthSuccess NWFL App Rule to support Informer Reports log "credential access":""
NWFL_account:created NWFL_AccountCreated NWFL App Rule to support Informer Reports log "credential access":"account manipulation"
NWFL_account:deleted NWFL_AccountDeleted NWFL App Rule to support Informer Reports log "credential access":"account manipulation"
NWFL_account:group-management NWFL_GroupMgmt NWFL App Rule to support Informer Reports log "":""
NWFL_account:login-and-logout NWFL_LoginLogout NWFL App Rule to support Informer Reports log "credential access":""
NWFL_account:logon-failure NWFL_LoginFailure NWFL App Rule to support Informer Reports log "credential access":""
NWFL_account:logon-success NWFL_LoginSuccess NWFL App Rule to support Informer Reports log "credential access":""
NWFL_account:logon-success-direct-access NWFL_LoginDirectAccessSuccess NWFL App Rule to support Informer Reports log "credential access":""
NWFL_account:logout NWFL_Logout NWFL App Rule to support Informer Reports log "credential access":""
NWFL_account:modified NWFL_AccountModified NWFL App Rule to support Informer Reports log "credential access":"account manipulation"
NWFL_account:password-change NWFL_PasswordChange NWFL App Rule to support Informer Reports log "credential access":"account manipulation"
NWFL_account:user-accessing-file-servers NWFL_UserAccessFilesrv NWFL App Rule to support Informer Reports log "":""
NWFL_alm:cardholder-data NWFL_AccessCardholderData NWFL App Rule to support Informer Reports log "":""
NWFL_alm:error-event-types NWFL_ErrorEventTypes NWFL App Rule to support Informer Reports log "":""
NWFL_alm:firmware-config-changes NWFL_FirmwareConfigChange NWFL App Rule to support Informer Reports log "":""
NWFL_alm:inbound-network-traffic NWFL_InboundTraffic NWFL App Rule to support Informer Reports log "":""
NWFL_alm:outbound-network-traffic NWFL_OutboundTraffic NWFL App Rule to support Informer Reports log "":""
NWFL_alm:system-clock-synch NWFL_ClockSynch NWFL App Rule to support Informer Reports log "":""
NWFL_av:signature-update NWFL_AVSignatureUpdate NWFL App Rule to support Informer Reports log "":""
NWFL_av:virus-summary NWFL_AVSummary NWFL App Rule to support Informer Reports log "":""
NWFL_config:change-audit-setting NWFL_AuditSettingChange NWFL App Rule to support Informer Reports log "":""
NWFL_config:config-changes NWFL_ConfigChanges NWFL App Rule to support Informer Reports log "":""
NWFL_config:fw-config-changes NWFL_FirewallConfigChange NWFL App Rule to support Informer Reports log "defense evasion":"indicator blocking"
NWFL_config:router-change NWFL_RouterConfigChange NWFL App Rule to support Informer Reports log "":""
NWFL_encryption:failures NWFL_EncryptFailures NWFL App Rule to support Informer Reports log "":""
NWFL_encryption:key-gen-and-changes NWFL_EncryptKeyGenChanges NWFL App Rule to support Informer Reports log "":""
NWFL_encryption:success NWFL_EncryptSuccess NWFL App Rule to support Informer Reports log "":""
NWFL_fw:categories NWFL_FirewallRuleCat NWFL App Rule to support Informer Reports log "":""
NWFL_fw:inbound-network-traffic NWFL_FWInboundTraffic NWFL App Rule to support Informer Reports log "":""
NWFL_fw:outbound-network-traffic NWFL_FWOutboundTraffic NWFL App Rule to support Informer Reports log "":""
NWFL_fw:url-block NWFL_URLBlock NWFL App Rule to support Informer Reports log "":""
NWFL_fw:url-filetypes NWFL_URLFiletypes NWFL App Rule to support Informer Reports log "":""
NWFL_host:windows:account-disabled NWFL_WinAcctDisabled NWFL App Rule to support Informer Reports log "credential access":"account manipulation"
NWFL_host:windows:file-access NWFL_WinFileAccess NWFL App Rule to support Informer Reports log "":""
NWFL_host:windows:local-group-account-changes NWFL_WinLocalGrpChange NWFL App Rule to support Informer Reports log "credential access":"account manipulation"
NWFL_host:windows:user-group-account-changes NWFL_WinUsrGroupChange NWFL App Rule to support Informer Reports log "credential access":"account manipulation"
NWFL_intrusion:all-activity NWFL_IntrusionAllActivity NWFL App Rule to support Informer Reports log "":""
NWFL_ops:mailserver-errors NWFL_MailserverErrors NWFL App Rule to support Informer Reports log "":""
NWFL_wireless:AdminOperations NWFL_WirelessAdminOps NWFL App Rule to support Informer Reports log "":""
Office Application Crashed office_application_crashed Microsoft Office application crashes can happen fairly frequently, but this may be interesting in combination with other indicators involving those applications.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application crashed
endpoint "initial access":"spearphishing attachment"
Office Application Injects Remote Process office_application_injects_remote_process A Microsoft Office application injecting a remote process may indicate a spearphishing attachment with a malicious payload. Process injection may enable an attacker to gain access to system resources or elevate privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application injects remote process
endpoint "initial access":"spearphishing attachment"
Office Application Runs BITS office_application_runs_bits A Microsoft Office application running Background Intelligent Transfer Service (BITS) may indicate a spearphishing attachment with a malicious payload. BITS may be used to exfiltrate data outside the environment.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs bits
endpoint "initial access":"spearphishing attachment"
Office Application Runs Command Prompt office_application_runs_command_prompt A Microsoft Office application running the command prompt may indicate a spearphishing attachment with a malicious payload has been executed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs command prompt
endpoint "initial access":"spearphishing attachment"
Office Application Runs Powershell office_application_runs_powershell A Microsoft Office application running powershell may indicate a spearphishing attachment with a malicious payload has been executed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs powershell
endpoint "initial access":"spearphishing attachment"
Office Application Runs Scripted FTP office_application_runs_scripted_ftp A Microsoft Office application running scripted FTP may indicate a spearphishing attachment with a malicious payload. FTP may be used to exfiltrate data outside the environment.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs scripted ftp
endpoint "initial access":"spearphishing attachment"
Office Application Runs Scripting Engine office_application_runs_scripting_engine A Microsoft Office application running a scripting engine may indicate a spearphishing attachment with a malicious payload has been executed.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs scripting engine
endpoint "initial access":"spearphishing attachment"
Office Application Runs Task Scheduler office_application_runs_task_scheduler A Microsoft Office application running a job or scheduling a task may indicate a spearphishing attachment with a malicious payload.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs task scheduler
endpoint "initial access":"spearphishing attachment"
Office Application Runs WMI Scripting Engine office_application_runs_wmi_scripting_engine A Microsoft Office application running Windows Management Instrumentation (WMI) may indicate a spearphishing attachment with a malicious payload.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application runs wmi scripting engine
endpoint "initial access":"spearphishing attachment"
Office Application Writes Executable office_application_writes_executable A Microsoft Office application writing an executable may indicate a spearphishing attachment with a malicious payload.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = office application writes executable
endpoint "initial access":"spearphishing attachment"
Only ACK Flag Set in Session Containing Payload nw30005 Alerts when sessions containing payload have only ACK flag set. packet "impact":"endpoint denial of service"
Opens Browser Process opens_browser_process When a file not digitally signed by apple opens broswer process it might indicate adversary effort for process injection into browser.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = opens browser process
endpoint "collection":"man in the browser"
Opens OS Process opens_os_process This may indicate Process injection which is a method of executing arbitrary code in the address space of a separate live process. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = opens os process
endpoint "defense evasion":"process injection", "privilege escalation":"process injection"
Opens Process opens_process This may indicate Process injection which is a method of executing arbitrary code in the address space of a separate live process. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = opens process
endpoint "defense evasion":"process injection", "privilege escalation":"process injection"
OS Process Runs Command Shell os_process_runs_command_shell This rule will return any filtered Windows OS process launching either 'cmd.exe' or 'powershell.exe'.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = os process runs command shell
endpoint "execution":"powershell", "execution":"command-line interface"
Outbound from Unsigned AppData Directory outbound_from_unsigned_appdata_directory This rule will return any unsigned filtered file name which has the source of a Windows "AppData" directory that establishes an outbound network connection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = outbound from unsigned appdata directory
endpoint "command and control":""
Outbound from Unsigned Temporary Directory outbound_from_unsigned_temporary_directory This rule will return any unsigned filtered file name which has the source of a Windows "Temp" directory that establishes an outbound network connection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = outbound from unsigned temporary directory
endpoint "command and control":""
Outbound from Windows Directory outbound_from_windows_directory This rule will return any unsigned filtered file name which has the source of the Windows root directory that establishes an outbound network connection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = outbound from windows directory
endpoint "command and control":""
Outbound MS Outlook PFF file nw110085 Detects outbound MS Outlook PFFs (Personal Folder Files). It does not differentiate between type of PFF (e.g.: .pst, .ost, .pab).NOTE: This depends on the Lua parser - fingerprint_pff.lua - for detecting PFF filetype. This parser needs to be enabled in order for this rule to work. log, packet "exfiltration":""
Outbound Session Greater Than 1GB outbound_session_greater_than_1gb Detects and generates meta after a session with a high percentage of payload transmitted outbound reaches 1GB, 2GB and 3GB.

VERSIONS SUPPORTED
* 10.5 and higher

CONFIGURATION
By default, the Decoders capture buffer size is 32MB. If you have modified this setting, then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the NetWitness Suite UI > Administration > Services > Explore > decoder > config > capture.buffer.size.

DEPENDENCIES
Lua Parsers:
* traffic_flow
* session_analysis

GENERATED META KEYS
* boc = outbound session greater than 1gb
packet "exfiltration":""
Outbound Session Greater Than 500MB outbound_session_greater_than_500mb Detects and generates meta after a session with a high percentage of payload transmitted outbound reaches 500MB.

VERSIONS SUPPORTED
* 10.5 and higher

CONFIGURATION
By default, the Decoders capture buffer size is 32MB. If you have modified this setting, then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the NetWitness Suite UI > Administration > Services > Explore > decoder > config > capture.buffer.size.

DEPENDENCIES
Lua Parsers:
* traffic_flow
* session_analysis

GENERATED META KEYS
* boc = outbound session greater than 500mb
packet "exfiltration":""
Packed packed Malware may use packing applications to repackage itself frequently to evade threat detection solutions based on static signatures.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = packed
endpoint "defense evasion":"software packing"
Packed And Autorun packed_and_autorun Adversaries use Software packing to compress or encrypt an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. To ensure persistence across reboots attackers configure to run those on system startup.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = packed and autorun
endpoint "defense evasion":"software packing"
Packed And Network Access packed_and_network_access Adversaries use software packing to compress or encrypt an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. This file is trying to gain access to the network.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = packed and network access
endpoint "defense evasion":"software packing"
Pass the Hash pass_the_hash Indicates a possible pass-the-hash attack on a Windows system configured to use the NTLM authentication protocol. The rule reduces false positives by excluding anonymous logons, domain controller and machine logons and those that are not local accounts. It is recommended to exclude the domain for which the domain controller is responsible within the rule logic, since an attacker would typically not have this information and it could increase rule accuracy.

VERSIONS SUPPORTED
NetWitness 11.3 and higher

CONFIGURATION
Customize this rule to exclude your domain from matching. To do this, modify the expression within the rule, domain.all != 'yourdomain.com'. Replace 'yourdomain.com' with the domain(s) you wish to exclude.

DEPENDENCIES
Log Parsers:
* At least one of the Windows log device parsers

Feeds:
* Investigation

GENERATED META KEYS
* ioc = pass the hash
* inv.category = identity, threat
* inv.context = attack phase, action on objectives, authentication, lateral movement
log "lateral movement":"pass the hash"
Passwords over FTP nw120010 Identifies plaintext FTP logins packet "credential access":"credential dumping"
Passwords over HTTP nw120005 Identifies plaintext HTTP logins packet "credential access":"credential dumping"
Passwords Over Other Protocols nw120030 Identifies plaintext logins with an unidentified service type. packet "credential access":"credential dumping"
Passwords Over Pop3 nw120020 Identifies plaintext pop3 logins packet "credential access":"credential dumping"
Passwords Over SMTP nw120025 Identifies plaintext SMTP logins packet "credential access":"credential dumping"
Passwords Over Telnet nw120015 Identifies plaintext telnet logins packet "credential access":"credential dumping"
Performs Scripted File Transfer performs_scripted_file_transfer Scripts may be used to transfer files over FTP during the course of an attack or for executing command and control instructions.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = performs scripted file transfer
endpoint "lateral movement":"remote file copy"
php ini checkin nw02645 Detects botnet traffic that uses PHP and .ini files for checkin traffic. log, packet "command and control":""
php put to wordpress plugin dir nw02580 Detects PHP puts to WordPress plugin directoires. This behavior has been observed by RSA as potential malware traffic. log, packet "command and control":""
Possible Login Bypass possible_login_bypass Accessibility features that may be launched with a key combination before a user has logged in . Possible login bypass can be an indicator of someone trying to modify the way these programs are launched to maintain a persistent presence on the system which can escalate privileges and create backdoor without logging in to the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = possible login bypass
endpoint "persistence":"accessibility features", "privilege escalation":"accessibility features", "privilege escalation":"image file execution options injection", "persistence":"image file execution options injection", "defense evasion":"image file execution options injection"
Possible Mimikatz Activity possible_mimikatz_activity Mimikatz has become an extremely effective attack tool against Windows clients. Mimikatz activity can be a strong indication of someone trying to dump credentials locally or remotely using powershell Mimikatz tool to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = possible mimikatz activity
endpoint "credential access":"credential dumping"
Possible RDP Session Hijacking possible_rdp_session_hijacking Possible RDP session hijacking can be indication of adversaries trying to connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence or perform RDP session hijacking which involves stealing a legitimate user's remote session.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = possible rdp session hijacking
endpoint "lateral movement":"remote desktop protocol"
Possibly Configures UAC Bypass possibly_configures_uac_bypass Configuring UAC can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = possibly configures uac bypass
endpoint "privilege escalation":"bypass user account control"
Possibly Renamed net.exe Detected possibly_renamed_net.exe_detected Presence of renamed net.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = possibly renamed net.exe detected
endpoint "defense evasion":"masquerading"
Potential Outlook Exploit potential_outlook_exploit This rule looks for potential Outlook exploits that would leverage 'outlook.exe' launching any suspicious 'cmd.exe','powershell.exe','wscript.exe' or 'cscript.exe'

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = potential outlook exploit
endpoint "initial access":"spearphishing attachment", "initial access":"spearphishing link"
PowerShell Command Using String Manipulation powershell_command_using_string_manipulation String manipulation can be used to obfuscate PowerShell commands to escape detection. These obfuscated commands can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = powershell command using string manipulation
endpoint "execution":"powershell"
PowerShell Double Base64 powershell_double_base64 This rule will return the double Base64 encoding scheme leveraged in a lot of PowerShell attacks to evade detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.4 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = powershell double base64
endpoint "execution":"powershell", "defense evasion":"deobfuscate/decode files or information", "defense evasion":"obfuscated files or information"
Powershell Injects Remote Process powershell_injects_remote_process Powershell injecting remote process can be an indication of someone trying to create and run malicious processes remotely, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = powershell injects remote process
endpoint "execution":"powershell"
Powershell Opens LSASS Process powershell_opens_lsass_process Powershell running LSASS process can be an indication of someone trying to dump credentials locally or remotely, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = powershell opens lsass process
endpoint "execution":"powershell"
Powershell Runs Command Prompt powershell_runs_command_prompt Powershell running command prompt can be an indication of someone trying to run malicious commands using to compromise the system or the user, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = powershell runs command prompt
endpoint "execution":"powershell"
Powershell Runs Scripting Engine powershell_runs_scripting_engine Powershell running scripting engine can be an indication of someone trying to run malicious scripts to compromise the system or the user, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = powershell runs scripting engine
endpoint "execution":"powershell"
Process Authorized In Firewall process_authorized_in_firewall Firewall allows process access based on details about the process and access control policy in use.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = process authorized in firewall
endpoint "defense evasion":""
Process Redirects to STDOUT or STDERR process_redirects_to_stdout_or_stderr This will return any process event that contains the launch arguments '2>&1' which will redirect STDOUT and STDERR.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = process redirects to stdout or stderr
endpoint "execution":""
Proxy Anonymous Services nw110065 Detects use of common proxy services using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required. log, packet "command and control":"connection proxy"
Proxy Client Download nw110070 Detects proxy client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required. log, packet "":""
Psexesvc Runs Powershell psexesvc_runs_powershell Psexesvc running powershell can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = psexesvc runs powershell
endpoint "execution":"service execution"
Psexesvc Runs Scripting Engine psexesvc_runs_scripting_engine Psexesvc running scripting engine can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = psexesvc runs scripting engine
endpoint "execution":"service execution"
Psexesvc Runs Shell Commands psexesvc_runs_shell_commands Psexesvc running shell commands can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = psexesvc runs shell commands
endpoint "execution":"service execution"
qq download client nw02615 detects download of the QQ chinese instant messaging client. log, packet "":""
Queries Cached Kerberos Tickets queries_cached_kerberos_tickets Querying cached kerberos tickets can be attempt to obtain account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = queries cached kerberos tickets
endpoint "credential access":"credential dumping"
Queries Processes On Local System queries_processes_on_local_system Processing queries on local system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = queries processes on local system
endpoint "discovery":"process discovery"
Queries Processes On Remote System queries_processes_on_remote_system Processing queries on remote system can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = queries processes on remote system
endpoint "discovery":"process discovery"
Queries Registry Using Command-Line Registry Tool queries_registry_using_command-line_registry_tool Querying registry using command-line registry tool can be an indication of adversaries trying to interact with the Windows Registry to gather information about the system, configuration, and installed software.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = queries registry using command-line registry tool
endpoint "discovery":"query registry"
Queries Terminal Sessions queries_terminal_sessions Querying terminal sessions can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = queries terminal sessions
endpoint "discovery":"system owner/user discovery"
Queries Users Logged On Local System queries_users_logged_on_local_system Querying users logged on local system can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = queries users logged on local system
endpoint "discovery":"system owner/user discovery"
Queries Users Logged On Remote System queries_users_logged_on_remote_system Querying users logged on remote system can be an indication of someone trying to discover potential attack vectors in the system , and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = queries users logged on remote system
endpoint "discovery":"system owner/user discovery"
RDP Launching Loopback Address rdp_launching_loopback_address This rule detects an attempt to setup RDP over an SSH tunnel. A compromised system could be using localhost to forward an RDP session to itself for use by an attacker.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = rdp launching loopback address
endpoint "lateral movement":"remote desktop protocol"
RDP over Non-Standard Port nw110050 Detects an RDP session over a non-standard port. packet "command and control":"uncommonly used port"
Record Screen Captures Using PSR Tool record_screen_captures_using_psr_tool Recording screen captures using PSR tool can be an indicator of an adversaries attempting to take screen captures of the desktop to gather information over the course of an operation.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = record screen captures using psr tool
endpoint "collection":"screen capture"
Registers Shim Database registers_shim_database Microsoft Windows Application Compatibility Toolkit (ACT) enables shims to be used to provide backwards compatibility for older versions of Windows or legacy applications. Malicious actors may use shims to gain persistence or elevate privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = registers shim database
endpoint "persistence":"application shimming"
Registry Tools Disabled registry_tools_disabled An administrative user has disabled access to the registry editor.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = registry tools disabled
endpoint "defense evasion":""
Regsvr32 Creates Windows Task regsvr32_creates_windows_task Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. Regsvr32 creating a windows task could allow an attacker to gain control of the system by running malicious code.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = regsvr32 creates windows task
endpoint "execution":"regsvr32"
Regsvr32 Runs Powershell regsvr32_runs_powershell Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = regsvr32 runs powershell
endpoint "execution":"regsvr32"
Regsvr32 Runs Rundll32 regsvr32_runs_rundll32 Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. This rule detects unusual behavior in the form of registration and run of a DLL in the same command.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = regsvr32 runs rundll32
endpoint "execution":"regsvr32"
Regsvr32 Writes Executable regsvr32_writes_executable Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. Regsvr32 writing an executable could indicate delivery of a backdoor to the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = regsvr32 writes executable
endpoint "execution":"regsvr32"
Remote Control Client Website nw110075 Detects use of common remote client download sites. It uses a list of domains matched against the alias host meta key. Use of an HTTP network parser is required. log, packet "persistence":"external remote services", "initial access":"external remote services"
Remote Directory Traversal remote_directory_traversal Adversary can enumerate remote share directory and files. This can be used for reconnaissance, discovery and collection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = remote directory traversal
endpoint "discovery":"file and directory discovery"
Remote Thread into LSASS remote_thread_into_lsass Detects when a process creates remote thread into target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping.

DEPENDENCIES
Log Parsers:
* At least one of the Windows log device parsers
Feeds:
* Investigation

GENERATED META KEYS
* ioc = remote thread into lsass
* inv.category = identity, threat
* inv.context = attack phase, action on objectives, lateral movement
log "credential access":"credential dumping", "execution":"lsass driver", "privilege escalation":"process injection", "defense evasion":"process injection"
RIG Exploit Kit nw22370 RIG exploit kit is suspected in the compromise of a vulnerable website due to patterns found within the query string.

DEPENDENCIES
Lua Parsers:
* HTTP Lua
* Traffic Flow Lua
Event Sources:
* Web proxy and security products such as Cisco WSA and SQUID
Feeds:
* NetWitness

GENERATED META KEYS
* ioc = rig exploit kit
* inv.category = threat
* inv.context = attack phase, exploit, malware
log, packet "initial access":"drive-by compromise", "command and control":"remote file copy", "command and control":"connection proxy"
Rogue DHCP Server Detected - Packets nw00040 Detects web traffic involving UDP/67 or 68 that is not a legitimate DHCP server. Note: Users must add legitimate DHCP servers to the RogueDHCPServerDetected feed. packet "":""
RPM Hash Mismatch rpm_hash_mismatch A hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate. endpoint "defense evasion":"masquerading"
RPM Hash Mismatch In Important System Directory rpm_hash_mismatch_in_important_system_directory A hash mismatch may indicate a file has been altered from its original state and call into question its integrity. Since RPMs typically contain compiled software this could mean an attacker is trying to disguise malicious malware as legitimate. endpoint "defense evasion":"masquerading"
RPM Ownership Changed rpm_ownership_changed This rule will trigger for any changes in ownership of executable linked to RPM installations. Adversaries can use changed permissions for evading defenses implemented by access controls.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = rpm ownership changed
endpoint "defense evasion":"file and directory permissions modification"
RPM Permissions Changed rpm_permissions_changed This rule will trigger for any changes in permissions of executable linked to RPM installations. Adversaries can use changed permissions for evading defenses implemented by access controls.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = rpm permissions changed
endpoint "defense evasion":"file and directory permissions modification"
Rundll32 Creates Windows Task rundll32_creates_windows_task Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = rundll32 creates windows task
endpoint "execution":"rundll32"
Rundll32 Runs Powershell rundll32_runs_powershell Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = rundll32 runs powershell
endpoint "execution":"rundll32"
Runs ACL Management Tool runs_acl_management_tool Running ACL management tool can be an indication of someone trying to run multiple malicious commands needed to perform multi-stage attack to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs acl management tool
endpoint "execution":"command-line interface"
Runs Active Directory Service Query Tool runs_active_directory_service_query_tool Running active directory service query can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs active directory service query tool
endpoint "discovery":"remote system discovery"
Runs Binary Located In Recycle Bin Directory runs_binary_located_in_recycle_bin_directory A technique has been used by malware authors where a malicious file or process is invoked and running out of the $RECYCLE.BIN folder on Windows systems.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs binary located in recycle bin directory
endpoint "defense evasion":"hidden files and directories"
Runs Binary Located In Root Of Logical Drive runs_binary_located_in_root_of_logical_drive While the majority of programs are stored in folders on a system, it is uncommon to see a binary in the root of "C:" directory.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs binary located in root of logical drive
endpoint "execution":""
Runs Binary Located In Root Of Program Directory runs_binary_located_in_root_of_program_directory With the ProgramData being hidden in Windows by default, the main use of this folder is for application data that is not user specific, meaning that it applies to "All Users". If malware was to be placed here, it would run on any user that would log into the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs binary located in root of program directory
endpoint "execution":""
Runs Binary Located In Root Of Users Directory runs_binary_located_in_root_of_users_directory While the majority of programs are stored in folders on a system, it is uncommon to see a binary in the root of a users home directory and is sometimes used by malware.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs binary located in root of users directory
endpoint "execution":""
Runs Binary Located In System Volume Information Directory runs_binary_located_in_system_volume_information_directory

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs binary located in system volume information directory
endpoint "defense evasion":"hidden files and directories"
Runs Blacklisted File runs_blacklisted_file An analyst may mark files as blacklisted within NetWitness Endpoint. If actions on an endpoint involve those blacklisted files as the destination process, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs blacklisted file
endpoint "execution":""
Runs Certutil With Decode Arguments runs_certutil_with_decode_arguments Windows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Running certutil with decode argument can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs certutil with decode arguments
endpoint "execution":"user execution"
Runs Certutil With Encode Arguments runs_certutil_with_encode_arguments Windows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Running certutil with encode argument can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs certutil with encode arguments
endpoint "execution":"user execution"
Runs Certutil With Hashfile Arguments runs_certutil_with_hashfile_arguments Windows certificate managing utility program - CertUtil can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. Running certutil with hashfile argument can be an indication of someone trying to obfuscate malicious files to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs certutil with hashfile arguments
endpoint "execution":"user execution"
Runs Chained Command Shell runs_chained_command_shell Running chained command shell can be an indication of someone trying to run multiple malicious commands needed to perform multi-stage attack to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs chained command shell
endpoint "execution":"command-line interface"
Runs Chmod runs_chmod Chmod is used to modify file and directory permissions.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs chmod
endpoint "defense evasion":"file and directory permissions modification"
Runs Credential Dumping Tools runs_credential_dumping_tools Running credential dumping tools can be indication of someone trying to bypass all credentials checks to be able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = loads credential dumping library
endpoint "credential access":"credential dumping"
Runs Curl runs_curl Curl is used in command lines or scripts to transfer data via URLs.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs curl
endpoint "exfiltration":"exfiltration over alternative protocol"
Runs Ditto runs_ditto Ditto copies files and directories from the Mac terminal.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs ditto
endpoint "collection":"data from local system"
Runs DNS Lookup Tool runs_dns_lookup_tool Running nslookup.exe can be used to get information about the Domain Name System (DNS) being used by the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs dns lookup tool
endpoint "discovery":"system network configuration discovery"
Runs DNS Lookup Tool For TXT Record runs_dns_lookup_tool_for_txt_record Running nslookup.exe to query TXT records can be used to establish covert Command & Control channel to exchange commands and other malicious information. These malicious commmands can be later executed on target system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs dns lookup tool for txt record
endpoint "discovery":"system network configuration discovery", "command and control":"commonly used port", "command and control":"standard application layer protocol"
Runs File Attributes Modification Tool runs_file_attributes_modification_tool Running file attributes modification tool can be an indication of adversaries trying use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs file attributes modification tool
endpoint "defense evasion":"hidden files and directories"
Runs File Transfer Tool runs_file_transfer_tool Running a file transfer program can be an indication of an adversary potentially performing data exfiltration to an off site location

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs file transfer tool
endpoint "exfiltration":"exfiltration over alternative protocol"
Runs forfiles.exe runs_forfiles.exe Runnnig forfiles.exe can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs forfiles.exe
endpoint "defense evasion":"indirect command execution"
Runs Graylisted File runs_graylisted_file An analyst may mark files as graylisted within NetWitness Endpoint. If actions on an endpoint involve those graylisted files as the destination process, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs graylisted file
endpoint "execution":""
Runs Ifconfig runs_ifconfig The ifconfig utility is used to assign an address to a network interface or configure network interface parameters.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs ifconfig
endpoint "discovery":"system network configuration discovery"
Runs Kextload runs_kextload The kextload program is used to load kernel extensions (kexts). For most kexts, kextload must run as the superuser.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs kextload
endpoint "persistence":"kernel modules and extensions"
Runs Kextstat runs_kextstat Display status of loaded kernel extensions (kexts).

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs kextstat
endpoint "discovery":"system information discovery"
Runs Launchctl runs_launchctl Launchctl is used to control services.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs launchctl
endpoint "execution":"launchctl"
Runs Malicious File By Reputation Service runs_malicious_file_by_reputation_service Files reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = runs malicious file by reputation service
endpoint "execution":""
Runs Mshta With HTTP Argument runs_mshta_with_http_argument Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run with an HTTP argument.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs mshta with http argument
endpoint "execution":"mshta"
Runs Mshta With Script Argument runs_mshta_with_script_argument Mshta.exe executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. It is suspicious for Mshta to run with a script argument.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs mshta with script argument
endpoint "execution":"mshta"
Runs Msiexec with HTTP Argument runs_msiexec_with_http_argument Windows Installer msiexec, with HTTP can be used to download and install or modify malicious applications through command line.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs msiexec with http argument
endpoint "execution":""
Runs Netstat runs_netstat Netstat is a network utility tool that can be used to discover network topology, statistics and performance information.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs netstat
endpoint "discovery":"system network connections discovery"
Runs Network Configuration Tool runs_network_configuration_tool Netsh.exe is a command-line utility that will allow someone to display or change the network configuration of local or remote computer

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs network configuration tool
endpoint "discovery":"system network connections discovery"
Runs Network Connectivity Tool runs_network_connectivity_tool Running network connectivity tool can be an indication of someone trying to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs network connectivity tool
endpoint "discovery":"remote system discovery"
Runs One Letter Executable runs_one_letter_executable A single letter file can be a potential indicator of malware or an attacker tool. When an attacker has remote access to a machine, they want to limit the amount of typing needed and will at times name a script or program to a single letter to allow quicker access.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs one letter executable
endpoint "execution":""
Runs One Letter Script runs_one_letter_script A single letter file can be a potential indicator of malware or an attacker tool. When an attacker has remote access to a machine, they want to limit the amount of typing needed and will at times name a script or program to a single letter to allow quicker access.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs one letter script
endpoint "execution":"scripting"
Runs Ping runs_ping Ping is used to see if a host is reachable on a network.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs ping
endpoint "discovery":"system network connections discovery"
Runs Powershell runs_powershell Common cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs powershell
endpoint "execution":"powershell"
Runs Powershell Bypassing Execution Policy runs_powershell_bypassing_execution_policy Running powershell bypassing execution policy will ignore the execution policy restrictions to run commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell bypassing execution policy
endpoint "execution":"powershell"
Runs Powershell Decoding Base64 String runs_powershell_decoding_base64_string Running powershell decoding base64 string can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell decoding base64 string
endpoint "execution":"powershell"
Runs Powershell Defining Function runs_powershell_defining_function Running powershell defining functions can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell defining function
endpoint "execution":"powershell"
Runs Powershell Downloading Content runs_powershell_downloading_content Attackers mainly use PowerShell as a downloader on windows based systems. Running powershell downloading content can be an indication of someone trying to download malicious payloads from internet to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell downloading content
endpoint "execution":"powershell"
Runs Powershell Invoke-Mimikatz Function runs_powershell_invoke-mimikatz_function Mimikatz has become an extremely effective attack tool against Windows clients. Running powershell Invoke-Mimikatz function is an indication of someone trying to use Mimikatz to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = runs powershell invoke-mimikatz function
endpoint "execution":"powershell"
Runs Powershell Memory Stream Function runs_powershell_memory_stream_function Running powershell memory stream function can be an indication of someone trying to execute malicious I/O commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell memory stream function
endpoint "execution":"powershell"
Runs Powershell ShellExecute Function runs_powershell_shellexecute_function Running powershell ShellExecute function can be an indication of someone trying to execute malicious shell code to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell shellexecute function
endpoint "execution":"powershell"
Runs Powershell Using Encoded Command runs_powershell_using_encoded_command Running powershell using encoded command can be an indication of someone trying to obfuscate malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell using encoded command
endpoint "execution":"powershell"
Runs Powershell Using Environment Variables runs_powershell_using_environment_variables Running powershell using environment variables can be an indication of someone trying to run malicious commands with particular variables like path to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell using environment variables
endpoint "execution":"powershell"
Runs Powershell With Hidden Window runs_powershell_with_hidden_window Running powershell with hidden window can be an indication of someone trying to run malicious commands in stealth mode so that powershell window is not visible to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell with hidden window
endpoint "execution":"powershell"
Runs Powershell With HTTP Argument runs_powershell_with_http_argument Running powershell with HTTP argument can be an indication of someone trying to connect and render malicious commands/downloaders from internet, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell with http argument
endpoint "execution":"powershell"
Runs Powershell With Long Arguments runs_powershell_with_long_arguments Running powershell with long arguments can be an indication of someone trying to run malicious powershell commands, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs powershell with long arguments
endpoint "execution":"powershell"
Runs Ps runs_ps Can be used to access process status information.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs ps
endpoint "discovery":"process discovery"
Runs PSEXEC On Remote System And Silently Accepts User License runs_psexec_on_remote_system_and_silently_accepts_user_license Running PSEXEC on remote system and silently accepting user license can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs psexec on remote system and silently accepts user license
endpoint "execution":"service execution"
Runs PSEXEC On Remote System As SYSTEM User runs_psexec_on_remote_system_as_system_user Running PSEXEC on remote system as SYSTEM user can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs psexec on remote system as system user
endpoint "execution":"service execution"
Runs Registry Tool runs_registry_tool Running the registry tool can be an indication of malware changing settings, adding persistence or lowering security of a system

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs registry tool
endpoint "discovery":"query registry"
Runs Regsvr32 COM Scriplets runs_regsvr32_com_scriplets Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs regsvr32 com scriplets
endpoint "execution":"regsvr32"
Runs Regsvr32 Using One Letter DLL runs_regsvr32_using_one_letter_dll Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. One letter DLLs are atypical and could be a signature of an attacker.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs regsvr32 using one letter dll
endpoint "execution":"regsvr32"
Runs Regsvr32 With HTTP Argument runs_regsvr32_with_http_argument Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. Regsvr32 communicating over HTTP could indicate command and control behavior.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs regsvr32 with http argument
endpoint "execution":"regsvr32"
Runs Regsvr32 Without Arguments runs_regsvr32_without_arguments Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs regsvr32 without arguments
endpoint "execution":"regsvr32"
Runs Remote Execution Tool runs_remote_execution_tool Running remote execution tool can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs remote execution tool
endpoint "execution":"service execution"
Runs Remote Powershell Command runs_remote_powershell_command Running remote powershell command can be an indication of someone trying to run malicious powershell commands remotely, which can be further used to gain access, to do lateral movement or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs remote powershell command
endpoint "execution":"powershell"
Runs robocopy.exe runs_robocopy.exe Running robocopy.exe can be indication of an adversary trying to use automated techniques for collecting internal data.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs robocopy.exe
endpoint "collection":"automated collection"
Runs Rundll32 Using One Letter DLL runs_rundll32_using_one_letter_dll Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools. One letter DLLs are atypical and could be a signature of an attacker.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs rundll32 using one letter dll
endpoint "execution":"rundll32"
Runs Rundll32 With HTTP Argument runs_rundll32_with_http_argument Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs rundll32 with http argument
endpoint "execution":"rundll32"
Runs Rundll32 With Javascript Argument runs_rundll32_with_javascript_argument Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = runs rundll32 with javascript argument
endpoint "execution":"rundll32"
Runs Rundll32 Without Arguments runs_rundll32_without_arguments Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs rundll32 without arguments
endpoint "execution":"rundll32"
Runs Scripting Engine runs_scripting_engine Running scripting engine can be an indication of someone trying to run malicious commands to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs scripting engine
endpoint "execution":"scripting"
Runs Scripting Engine In Batch Mode Using Execution Engine Argument runs_scripting_engine_in_batch_mode_using_execution_engine_argument Running scripting engine in batch mode using execution engine argument can be an indication of someone trying to run malicious commands in command-line environment to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs scripting engine in batch mode using execution engine argument
endpoint "execution":"scripting"
Runs Service Control Tool runs_service_control_tool Running the SC tool will allow the creation, deletion, query of a Windows service from the command-line

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs service control tool
endpoint "execution":"service execution"
Runs Sh runs_sh Utility used to run shell scripts

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs sh
endpoint "execution":"scripting"
Runs Shim Database Installer runs_shim_database_installer Microsoft Windows Application Compatibility Toolkit (ACT) enables shims to be used to provide backwards compatibility for older versions of Windows or legacy applications. Malicious actors may use shims to gain persistence or elevate privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs shim database installer
endpoint "persistence":"application shimming"
Runs Suspicious File By Reputation Service runs_suspicious_file_by_reputation_service Files reported as suspicious by reputation service indicates execution of files and hashes of which are tagged as suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = runs suspicious file by reputation service
endpoint "":""
Runs Tar runs_tar Indicates a tar archive is being created.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs tar
endpoint "exfiltration":"data compressed"
Runs Tasks Management Tool runs_tasks_management_tool Running at.exe or schtask.exe allows a script, program or command to be executed at a specific date and time.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs tasks management tool
endpoint "execution":"scheduled task"
Runs Unzip runs_unzip An archive file is being extracted with unzip tool.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs unzip
endpoint "defense evasion":"", "execution":""
Runs waitfor.exe runs_waitfor.exe Running waitfor.exe can be indication of someone trying to compromise the integrity of the security solution by adding unexpected dealys, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs waitfor.exe
endpoint "defense evasion":"indirect command execution"
Runs WMI Command-Line Tool runs_wmi_command-line_tool WMIC.exe provides command-line interface that interacts with WMI (Windows Management Instrumentation)

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs wmi command-line tool
endpoint "execution":"command-line interface"
Runs WMI Scripting Engine runs_wmi_scripting_engine Windows Management Instrumentation (WMI) is used to access management information in an enterprise environment for both local and remote systems.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = runs wmi scripting engine
endpoint "execution":"windows management instrumentation"
Runs xcopy.exe runs_xcopy.exe Running xcopy.exe can be indication of an adversary trying to use automated techniques for collecting internal data.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = runs xcopy.exe
endpoint "collection":"automated collection"
Safari Fraud Website Warning Disabled safari_fraud_website_warning_disabled Safari warns you if the site you're visiting is a suspected phishing website. Disabling this setting may put your personal information at risk as you would lose visibility into sites masquerading as legitimate ones. endpoint "defense evasion":"disabling security tools"
SchoolBell Malware nw22360 The SchoolBell rule detects malware associated with ShellCrew's large scale infrastructure harvesting campaign. SchoolBell targets Windows servers running vulnerable versions of Java web containers such as JBoss and Jenkins. The associated SchoolBell rule can be used to detect the malware's callbacks from an infected host.

Both the HTTP_lua and traffic_flow parsers are required.
packet "command and control":"standard application layer protocol", "exfiltration":"exfiltration over command and control channel"
ScribD Document Upload nw110015 Detects document uploads to the site ScribD. log, packet "exfiltration":""
Scripting Addition In Process scripting_addition_in_process A scripting addition is a code library, loaded by the AppleScript scripting component instance, that implements vocabulary extending the AppleScript language. On Mac OS X the supplied osaxen live in /System/Library/ScriptingAdditions; the user may add osaxen to /Library/ScriptingAdditions or to ~/Library/ScriptingAdditions, according to the domain of their desired availability. endpoint "execution":"scripting"
Scripting Engine Injects Remote Process scripting_engine_injects_remote_process Scripting engine injecting remote process can be an indication of someone trying to create and run malicious processes to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = scripting engine injects remote process
endpoint "execution":"scripting"
Scripting Engine Runs Powershell scripting_engine_runs_powershell Common cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Scripting engine Running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = scripting engine runs powershell
endpoint "execution":"scripting"
Scripting Engine Runs Regsvr32 scripting_engine_runs_regsvr32 Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Scripting engine runs regsvr32 can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = scripting engine runs regsvr32
endpoint "execution":"scripting"
Scripting Engine Runs Rundll32 scripting_engine_runs_rundll32 Scripting engine running rundll32 process can be an indication of someone trying to run malicious DLLs and placing its libraries in the memory to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = scripting engine runs rundll32
endpoint "execution":"scripting"
SecurID Cloud Add Admin securid_cloud_add_admin Raises an alert when RSA SecurID (Cloud) admin adds another admin.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":"account manipulation"
SecurID Cloud API Keys Added securid_cloud_api_keys_added Raises an alert when RSA SecurID (Cloud) Access admin API keys are added.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":"account manipulation"
SecurID Cloud API Keys Deleted securid_cloud_api_keys_deleted Raises an alert when RSA SecurID (Cloud) Access admin API keys are deleted or edited.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":"account manipulation"
SecurID Cloud Approve Auth Failure securid_cloud_approve_auth_failure Raises an alert when RSA SecurID (Cloud) Access user approve authentication fails.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":""
SecurID Cloud Approve Auth Success securid_cloud_approve_auth_success Raises an alert when RSA SecurID (Cloud) Access user approve authentication is succeeded.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":""
SecurID Cloud Audit Log Config Changed securid_cloud_audit_log_config_changed Raises an alert when RSA SecurID (Cloud) admin audit log configuration is changed.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "defense evasion":"indicator removal on host"
SecurID Cloud Auth Failure securid_cloud_auth_failure Raises an alert when RSA SecurID (Cloud) user authentication fails.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":""
SecurID Cloud Auth Success securid_cloud_auth_success Raises an alert when RSA SecurID (Cloud) user authentication succeeds.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":""
SecurID Cloud Delete Admin securid_cloud_delete_admin Raises an alert when RSA SecurID (Cloud) admin deletes another admin.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":"account manipulation"
SecurID Cloud Device Register Failure securid_cloud_device_register_failure Raises an alert when RSA SecurID (Cloud) device registration fails.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "":""
SecurID Cloud Device Register Success securid_cloud_device_register_success Raises an alert when RSA SecurID (Cloud) device registration succeeds.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "":""
SecurID Cloud FIDO Auth Failure securid_cloud_fido_auth_failure Raises an alert when RSA SecurID (Cloud) user FIDO token authentication fails.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":""
SecurID Cloud FIDO Auth Success securid_cloud_fido_auth_success Raises an alert when RSA SecurID (Cloud) user FIDO token authentication succeeds.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":""
SecurID Cloud IDR Deleted securid_cloud_idr_deleted Raises an alert when RSA SecurID (Cloud) admin IDR is deleted.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "":""
SecurID Cloud LDAP Auth Failure securid_cloud_ldap_auth_failure Raises an alert when RSA SecurID (Cloud) user LDAP authentication fails.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":""
SecurID Cloud LDAP Auth Success securid_cloud_ldap_auth_success Raises an alert when RSA SecurID (Cloud) user LDAP authentication succeeds.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":""
SecurID Cloud Trusted Location Modified securid_cloud_trusted_location_modified Raises an alert when RSA SecurID (Cloud) admin adds or modifies the trusted location.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "":""
SecurID Cloud User Disabled securid_cloud_user_disabled Raises an alert when RSA SecurID (Cloud) Access user is disabled.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":"account manipulation"
SecurID Cloud User Enabled securid_cloud_user_enabled Raises an alert when RSA SecurID (Cloud) Access user is enabled.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
log "credential access":"account manipulation"
Self Signed self_signed A self-signed certificate is one signed with its own private key. This is atypical since a digital signature generally would be received from a certificate authority (CA).

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = self signed
endpoint "execution":""
Services In ProgramData Directory services_in_programdata_directory Services running out of a hidden directory indicates defense measures to hide malicious execution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = services in programdata directory
endpoint "execution":"service execution", "defense evasion":"hidden files and directories"
Services Runs Command Shell services_runs_command_shell Services running command shell can be an indication of someone trying to create and run malicious processes to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = services runs command shell
endpoint "execution":"service execution"
Shadow IT: File Sharing Apps nw110150 Detects file sharing application usage for Box, Dropbox, Github and iCloud for potential shadow IT use. log, packet "":""
Shadow IT: Voice Chat Apps nw30050 Detects some voice and chat applications (e.g. Vonage, VOIPStudio, tinychat, and Yahoo Messenger) usage for potential shadow IT use. log, packet "":""
Small Executable nw20110 Forensic executable detection with a small session size. packet "":""
Small Executable Extension Mismatch nw20095 Indicates a forensic executable detection with a file extension that is not .exe. packet "defense evasion":"masquerading"
Small Executable No Directory nw20100 Indicates a forensic executable detection with no corresponding directory information. packet "":""
Small Executable No Host nw20090 Indicates a forensic executable detection with a small session size and no corresponding alias.host information. packet "":""
Small Executable Root Directory nw20105 Forensic executable detection from the root directory of a host. packet "execution":""
Smartscreen Filter Disabled smartscreen_filter_disabled Disabling smartscreen filter can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = smartscreen filter disabled
endpoint "defense evasion":"disabling security tools"
Spectrum Consume 1.1 App Rule spectrum_consume11 Application rule required for office document/pdf consumption packet "":""
spectrum_consume.nwr spectrum_consume Helper Rule for Spectrum packet "":""
ssh to external ssh_internal_to_external Detects when an internal IP address initiates an SSH connection to an external IP address.An SSH connection is identified by the following service=22. An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external. packet "lateral movement":"remote services"
Starts Local Service starts_local_service Starting local service can be an indication of someone trying to create and run malicious services to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = starts local service
endpoint "execution":"service execution"
Starts RDP Service starts_rdp_service Starting RDP service can be indication of adversaries trying to connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence or perform RDP session hijacking which involves stealing a legitimate user's remote session.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = starts rdp service
endpoint "lateral movement":"remote desktop protocol"
Starts Remote Service starts_remote_service Starting remote service can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = starts remote service
endpoint "execution":"service execution"
Stealth Email Use Large Session nw110095 Detects a session larger than 1 MB to the following stealth mail services: Stealth Email: Alias host www.stealth-email.com, Hush Mail: With an IP destination of 65.39.178.58 or organization destination of "Peer 1 Network (USA)", Neomailbox: Alias host www.neomailbox.com, Cryptoheaven: Alias host www.cryptoheaven.com, S-mail: Alias host mail.s-mail.com packet "":""
Stops Error Reporting Service stops_error_reporting_service Stopping error reporting service can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = stops error reporting service
endpoint "defense evasion":"disabling security tools"
Stops Security Service stops_security_service Stopping security service can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = stops security service
endpoint "defense evasion":"disabling security tools"
Stops Windows Update Service stops_windows_update_service Stopping windows update service can be a indication of someone trying to compromise the integrity of the security solution by not updating latest security updates and letting system vulnerable, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = stops windows update service
endpoint "defense evasion":"disabling security tools"
strings decode download nw02565 Detects malware that uses &quot;strings.txt&quot; for command and control instructions log, packet "":""
Sudo No Password Prompt sudo_no_password_prompt The sudo user allows you to run programs with the security privileges of another user or, if no username is specified, as the superuser with root privileges. Adversaries can take advantage of this configuration to execute commands as other users or spawn processes with higher privileges. You must have elevated privileges to edit this file. endpoint "privilege escalation":"sudo"
Suspicious File By Reputation Service suspicious_file_by_reputation_service Files reported as suspicious by reputation service indicates execution of files and hashes of which are tagged as suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = suspicious file by reputation service
endpoint "execution":""
suspicious long filename get request nw02625 Detects get requests that include extremely long flienames, which is often a tactic used malware to encode information. packet "":""
suspicious php put long query nw02585 Detects puts to PHP pages that include extremly long query strings. This behavior is often indicative of botnet or malware encoded check-in traffic log, packet "command and control":"data encoding", "exfiltration":"exfiltration over command and control channel"
suspicious PHP url-encoded put nw02620 Detects PHP Puts that included URL-encoded data packet "command and control":"data encoding"
Suspicious REGSVR32.EXE Task suspicious_regsvr32.exe_task Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = suspicious regsvr32.exe task
endpoint "execution":"regsvr32"
System Integrity Protection Disabled system_integrity_protection_disabled The feature for System Integrity Protection introduced in Mac OS 10.11 is intended to prevent malware from modifying protected system locations.Some low-level utilities may only function if they have unrestricted access to the file system and could be a legitimate reason for disabling the feature. However, even power users would generally have no reason to disable this setting and it would be considered a very suspicious behavior. endpoint "defense evasion":"disabling security tools"
System Restore Disabled system_restore_disabled Disabling system restore can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = system restore disabled
endpoint "defense evasion":"disabling security tools"
Taidoor Malware nw22335 Detects malicious outbound traffic between Malware Taidoor and command and control server. Either the HTTP_lua or HTTP native parser and traffic_flow parser is required.
Reference this RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/thread/185493
packet "command and control":"data encoding", "exfiltration":"exfiltration over command and control channel"
Task Manager Disabled task_manager_disabled Task Manager provides information about processes running on your system and their memory use. Disabling task manager may prevent a user from seeing anomalous processes.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = task manager disabled
endpoint "defense evasion":"disabling security tools"
Tasks In ProgramData Directory tasks_in_programdata_directory Tasks running out of a hidden directory indicates defense measures to hide malicious execution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = tasks in programdata directory
endpoint "execution":"scheduled task", "defense evasion":"hidden files and directories"
tdss_rootkit_variant_beaconing app000002 Detects the beaconing activity of the TDSS Rootkit botnet. log, packet "defense evasion":"rootkit", "exfiltration":""
Tendrit Malware nw22320 Detects malicious outbound traffic between backdoor/malware Tendrit variants and command and control server. Either the HTTP_lua or HTTP native parser is required.
Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/05/09/detecting-tendrit-variants-u...
packet "command and control":"data encoding", "exfiltration":"data encrypted", "exfiltration":"exfiltration over command and control channel"
Terminates Process terminates_process Terminating process can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = terminates process
endpoint "defense evasion":"disabling security tools"
Tor Outbound nw00035 Detects an encrypted network sessions as well as log sessions to an external (non RFC-1918) IP destination that shows at least one indicator of using the Tor protocol for anonymous data access. The possible indicators of Tor are: Communication over a common Tor destination port of 9001, 9030, 9101, 9003, 9050, 9051 or communication with a known Tor tunnel node.

DEPENDENCIES
Packets:
Lua Parsers:
* traffic_flow
* TLS_lua
Feeds:
* Tor Exit Nodes
* Investigation

Logs:
Lua Parsers:
* traffic_flow
Feeds:
* Tor Exit Nodes
* Investigation
Log Parsers:
* Atleast one parser with device.class='Firewall' or device.type='rsaflow'

GENERATED META KEYS
* analysis.session= tunneling outbound tor
* inv.category = assurance
* inv.context = compliance, corporate, organizational hazard, risk
log, packet "command and control":"multilayer encryption", "command and control":"multi-hop proxy"
Torrent File Download nw70010 Detects the download of a .torrent file. log, packet "":""
Transfers File Using BITS transfers_file_using_bits Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = transfers file using bits
endpoint "lateral movement":"remote file copy"
Trojan BLT nw22300 Detects malicious outbound traffic due to installation of Trojan BLT variants. Either the HTTP_lua or HTTP native parser is required.

Reference this RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2015/12/04/detecting-trojanblt-variants...
packet "discovery":"system network configuration discovery", "exfiltration":"exfiltration over command and control channel", "command and control":"standard application layer protocol"
tsone dorkbot beaconing app000003 Detects hosts infected with the TSONE Dorkbot. packet "command and control":""
UAC Disabled uac_disabled Disabling UAC can be an indication of possible Windows User Account Control (UAC) bypass. Attacker can use these techniques to elevate privileges to administrator if the target process is unprotected. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = uac disabled
endpoint "privilege escalation":"bypass user account control"
Unexpected csrss.exe Parent unexpected_csrss.exe_parent Presence of unexpected csrss.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected csrss.exe parent
endpoint "defense evasion":"masquerading"
Unexpected Explorer.exe Destination Location unexpected_explorer.exe_destination_location Explorer.exe at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for. endpoint "defense evasion":"masquerading"
Unexpected explorer.exe Parent unexpected_explorer.exe_parent Presence of unexpected explorer.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected explorer.exe parent
endpoint "defense evasion":"masquerading"
Unexpected Explorer.exe Source Location unexpected_explorer.exe_source_location Explorer.exe at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for. endpoint "defense evasion":"masquerading"
Unexpected lsass.exe Parent unexpected_lsass.exe_parent Presence of unexpected lsass.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected lsass.exe parent
endpoint "defense evasion":"masquerading"
Unexpected lsm.exe Parent unexpected_lsm.exe_parent Presence of unexpected lsm.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected lsm.exe parent
endpoint "defense evasion":"masquerading"
Unexpected msdtc.exe Parent unexpected_msdtc.exe_parent Presence of unexpected msdtc.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected msdtc.exe parent
endpoint "defense evasion":"masquerading"
Unexpected OS Process Destination Location unexpected_os_process_destination_location An OS process at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for. endpoint "defense evasion":"masquerading"
Unexpected OS Process Source Location unexpected_os_process_source_location An OS process at unexpected location can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain greater privileges than they are authorized for. endpoint "defense evasion":"masquerading"
Unexpected runtimebroker.exe Parent unexpected_runtimebroker.exe_parent Presence of unexpected runtimebroker.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected runtimebroker.exe parent
endpoint "defense evasion":"masquerading"
Unexpected services.exe Parent unexpected_services.exe_parent Presence of unexpected services.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected services.exe parent
endpoint "defense evasion":"masquerading"
Unexpected smss.exe Parent unexpected_smss.exe_parent Presence of unexpected smss.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected smss.exe parent
endpoint "defense evasion":"masquerading"
Unexpected Svchost Arguments unexpected_svchost_arguments Presence of unexpected svchost arguments can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected svchost arguments
endpoint "defense evasion":"masquerading"
Unexpected svchost.exe Parent unexpected_svchost.exe_parent Presence of unexpected svchost.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected svchost.exe parent
endpoint "defense evasion":"masquerading"
Unexpected taskhostw.exe Parent unexpected_taskhostw.exe_parent Presence of unexpected taskhostw.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected taskhostw.exe parent
endpoint "defense evasion":"masquerading"
Unexpected wininit.exe Parent unexpected_wininit.exe_parent Presence of unexpected wininit.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected wininit.exe parent
endpoint "defense evasion":"masquerading"
Unexpected winlogon.exe Parent unexpected_winlogon.exe_parent Presence of unexpected winlogon.exe can be an indication of someone pretending to be an authorized identity of a system in order to gain access to it or to gain elevated privileges.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unexpected winlogon.exe parent
endpoint "defense evasion":"masquerading"
Unknown Segment unknown_segment Unknown segment within a file that should be examined for malicious injection. endpoint "defense evasion":"obfuscated files or information"
Unknown Service Over DNS Port nw60115 Detects an unidentified service over a port typically used for dns traffic. packet "command and control":"commonly used port"
Unknown Service Over FTP Port nw60120 Detects an unidentified service over a port typically used for ftp traffic. packet "command and control":"commonly used port"
Unknown Service Over HTTP Port nw60125 Detects an unidentified service over a port typically used for http traffic. packet "command and control":"commonly used port"
Unknown Service Over IRC Port nw60145 Detects an unidentified service over a port typically used for irc traffic. packet "command and control":"commonly used port"
Unknown Service Over NNTP Port nw60150 Detects an unidentified service over a port typically used for nntp traffic. packet "command and control":"commonly used port"
Unknown Service Over POP3 Port nw60140 Detects an unidentified service over a port typically used for pop3 traffic. packet "command and control":"commonly used port"
Unknown Service Over SMB Port nw60155 Detects an unidentified service over a port typically used for smb traffic. packet "command and control":"commonly used port"
Unknown Service Over SMTP Port nw60135 Detects an unidentified service over a port typically used for smtp traffic. packet "command and control":"commonly used port"
Unknown Service Over SSL Port nw60165 Detects an unidentified service over a port typically used for ssl traffic. packet "command and control":"commonly used port"
Unknown Service Over Telnet Port nw60130 Detects an unidentified service over a port typically used for telnet traffic. packet "command and control":"commonly used port"
Unsigned Copies Self unsigned_copies_self A file copies itself as detected by checksum. A worm may self-replicate and spread infection.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned copies self
endpoint "persistence":"", "execution":""
Unsigned Creates Remote Thread unsigned_creates_remote_thread A file that is unsigned or with an invalid signature is trying to create a remote thread into a process. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = unsigned creates remote thread
endpoint "privilege escalation":"process injection", "defense evasion":"process injection"
Unsigned Creates Remote Thread And File Hidden unsigned_creates_remote_thread_and_file_hidden This rule will return any unsigned and hidden files that leverage the Windows API "CreateRemoteThread" functionality.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned creates remote thread and file hidden
endpoint "defense evasion":"process injection", "privilege escalation":"process injection", "defense evasion":"hidden files and directories", "persistence":"hidden files and directories"
Unsigned Cron Job unsigned_cron_job The software utility cron is used to schedule jobs (commands or scripts) to run periodically.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned cron job
endpoint "persistence":"local job scheduling", "execution":"local job scheduling"
Unsigned Deletes Self unsigned_deletes_self A file deletes itself as detected by checksum. Malware may be attempting to hide its spread through the network.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned deletes self
endpoint "defense evasion":"file deletion"
Unsigned Kext unsigned_kext Kext signature validation is a code signing requirement for all extensions and drivers located in the extensions folder. A file that is unsigned should be examined as possible malware. endpoint "defense evasion":"code signing"
Unsigned Library In Suspicious Daemon unsigned_library_in_suspicious_daemon This rule will trigger for OS MAC if an unsigned library is found associated with a suspicious daemon. Adversaries can inject libraries to be run in background processes like daemon for persistence and evasion.

VERSIONS SUPPORTED
* NetWitness Platform 11.4 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = unsigned library in suspicious daemon
endpoint "":""
Unsigned Module In Signed Process unsigned_module_in_signed_process All threads spawned from a signed process should also be signed. An unsigned module may indicate process injection. Malware commonly utilizes process injection to access system resources through which persistence and other environment modifications can be made. endpoint "defense evasion":"process injection"
Unsigned Opens LSASS unsigned_opens_lsass This rule will return any unsigned filename which opens/accesses the Windows OS process 'lsass.exe'. This type of activity can be indicitivate of credential stealers.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned opens lsass
endpoint "credential access":"credential dumping"
Unsigned Reserved Name unsigned_reserved_name

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = unsigned reserved name
endpoint "defense evasion":"masquerading"
Unsigned Runs Python unsigned_runs_python An unsigned process is running a python script.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned runs python
endpoint "execution":"scripting"
Unsigned Writes Executable unsigned_writes_executable A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable
endpoint "execution":"user execution"
Unsigned Writes Executable To AppDataLocal Directory unsigned_writes_executable_to_appdatalocal_directory A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = unsigned writes executable to appdatalocal directory
endpoint "execution":"user execution"
Unsigned Writes Executable To AppDataRoaming Directory unsigned_writes_executable_to_appdataroaming_directory A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = unsigned writes executable to appdataroaming directory
endpoint "execution":"user execution"
Unsigned Writes Executable To Library Application Support Directory unsigned_writes_executable_to_library_application_support_directory A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable to library application support directory
endpoint "execution":"user execution"
Unsigned Writes Executable To Library Directory unsigned_writes_executable_to_library_directory A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable to library directory
endpoint "execution":"user execution"
Unsigned Writes Executable To Library Preferences Directory unsigned_writes_executable_to_library_preferences_directory A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable to library preferences directory
endpoint "execution":"user execution"
Unsigned Writes Executable To Scripting Additions Directory unsigned_writes_executable_to_scripting_additions_directory A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable to scripting additions directory
endpoint "execution":"user execution"
Unsigned Writes Executable To System Directory unsigned_writes_executable_to_system_directory A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable to system directory
endpoint "execution":"user execution"
Unsigned Writes Executable To Var Directory unsigned_writes_executable_to_var_directory A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes executable to var directory
endpoint "execution":"user execution"
Unsigned Writes Executable To Windows Directory unsigned_writes_executable_to_windows_directory A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = unsigned writes executable to windows directory
endpoint "execution":"user execution"
Unsigned Writes To Autorun unsigned_writes_to_autorun An unsigned process is writing to autorun.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = unsigned writes to autorun
endpoint "persistence":"launch agent", "persistence":"launch daemon", "privilege escalation":"launch daemon", "persistence":"startup items", "privilege escalation":"startup items"
Unusual Port Utilized by Domain Controller nw00045 Detects a domain controller or directory server engaged in port activity that is outside the expected ports.For Active Directory port requirements, see the following Microsoft Windows Server article: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx.Note: This rule must be modified to include the IP address of the local Domain Controller or Directory Server. packet "command and control":"uncommonly used port"
Uses LibNSS uses_libnss Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = uses libnss
endpoint "build capabilities":"post compromise tool development"
Uses LibPCAP uses_libpcap LibPCAP may be used by an attacker to intercept network traffic.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = uses libpcap
endpoint "build capabilities":"post compromise tool development"
Uses Mach Injection uses_mach_injection Mach_inject is a C library that enables you to inject code into an arbitrary process on Mac OS X. Injection means copying over the necessary code into the target's address space and remotely creating a new thread to execute the code. endpoint "defense evasion":"process injection"
Uses Mach Override uses_mach_override Mach_override is a C library to override one C function with another on Mac OS X. endpoint "defense evasion":"process injection"
Warning On Post Redirect Disabled warning_on_post_redirect_disabled Disabling warning on post redirect can be an indication of an adversary attempting to block indicators or event notifications, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = warning on post redirect disabled
endpoint "defense evasion":"indicator blocking"
Web Access: Pastebin nw110040 Detects the existence of "pastebin.com or post.php" in a URL string. Pastebin is a very common site for quickly distributing sensitive data, posting and retrieving malicious and benign code snippets, and is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns as well as focused attacks against servers hosting the data. log, packet "command and control":"web service", "defense evasion":"web service"
Web Access: Rghost nw110035 Detects the existence of "rghost.net" in a URL string.Rghost is a very common site for quickly distributing sensitive data and posting and retrieving malicious ( as well as benign) code snippets.It is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns, as well as focused attacks against servers hosting the data.Additionally, it is a large online repository for searchable malware executables log, packet "command and control":"web service", "defense evasion":"web service"
Windows Credential Harvesting Services nw05415 This rule applies to windows services being installed that are known to be used for pass the hash and brute force attacks. These may include psexec, wce, pwdump, cachedump, gsecdump. log "lateral movement":"pass the hash", "credential access":"brute force"
Windows Firewall Disabled windows_firewall_disabled Disabling firewall can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred. endpoint "defense evasion":"disabling security tools"
Windows Task Runs Powershell windows_task_runs_powershell Windows task running powershell can be an indication of someone trying to use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = windows task runs powershell
endpoint "persistence":"scheduled task"
Windows Update Disabled windows_update_disabled Disabling windows update can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = windows update disabled
endpoint "defense evasion":"disabling security tools"
WMIC Remote Node Activity wmic_remote_node_activity This rule returns instance of the Windows OS process 'wmic.exe' being leveraged with the '/node' parameter. With the proper credentials leveraged an attacker can get information about a system

VERSIONS SUPPORTED
* NetWitness Platform 11.3 (Investigation Only)
* NetWitness Platform 11.4 and higher (Full Support)

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = wmic remote node activity
endpoint "execution":"windows management instrumentation"
Wmiprvse Runs Command Shell wmiprvse_runs_command_shell Windows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. Wmiprvse running command shell can be an indication of someone trying to run malicious commands in cmd.exe to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = wmiprvse runs command shell
endpoint "execution":"windows management instrumentation"
Wmiprvse Runs Powershell wmiprvse_runs_powershell Common cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Wmiprvse running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = wmiprvse runs powershell
endpoint "execution":"windows management instrumentation"
Wmiprvse Runs Scripting Engine wmiprvse_runs_scripting_engine Windows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. Wmiprvse running scripting engine can be an indication of someone trying to run malicious scripts to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = wmiprvse runs scripting engine
endpoint "execution":"windows management instrumentation"
Writes Blacklisted File writes_blacklisted_file An analyst may mark files as blacklisted within NetWitness Endpoint. If actions on an endpoint involve those blacklisted files being written, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = writes blacklisted file
endpoint "execution":""
Writes Executable To Recycle Bin Directory writes_executable_to_recycle_bin_directory A technique has been used by malware authors where a malicious file or process is invoked and running out of the $RECYCLE.BIN folder on Windows systems. Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = writes executable to recycle bin directory
endpoint "defense evasion":"hidden files and directories"
Writes Executable To Root Of Logical Drive writes_executable_to_root_of_logical_drive A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = writes executable to root of logical drive
endpoint "execution":"user execution"
Writes Executable To Root Of Program Directory writes_executable_to_root_of_program_directory A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = writes executable to root of program directory
endpoint "execution":"user execution"
Writes Executable To Root Of Users Directory writes_executable_to_root_of_users_directory A file that is unsigned or with an invalid signature is trying to write an executable. Without the digital validation, this file should not be trusted without analysis.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file boc = writes executable to root of users directory
endpoint "execution":"user execution"
Writes Executable To System Volume Information Directory writes_executable_to_system_volume_information_directory

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = writes executable to system volume information directory
endpoint "defense evasion":"hidden files and directories"
Writes Graylisted File writes_graylisted_file An analyst may mark files as graylisted within NetWitness Endpoint. If actions on an endpoint involve those graylisted files being written, then this rule will trigger.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = writes graylisted file
endpoint "execution":""
Writes Malicious File By Reputation Service writes_malicious_file_by_reputation_service Files reported as malicious by reputation service indicates execution of files and hashes of which are tagged as malicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = writes malicious file by reputation service
endpoint "execution":""
Writes Suspicious File By Reputation Service writes_suspicious_file_by_reputation_service Files reported as suspicious by reputation service indicates execution of files and hashes of which are tagged as suspicious.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = writes suspicious file by reputation service
endpoint "execution":""