RSA Admin

Detecting Redkit using Security Analytics

Discussion created by RSA Admin Employee on Oct 9, 2013

Hi all,


I was wondering whether anyone has any Security Analytics custom drills that are good at narrowing down sessions associated specifically with Redkit exploit pack while filtering out benign traffic? I was previously using NetWitness and the following custom regex to identify potential URLs which may be Redkit landing pages or exploit downloads:


filename regex [a-z0-9]{4}\.html\?.

filename regex [a-z]{4}\.html?\?[a-z]=[0-9]+$

action = get && (filename regex [a-z0-9]{4}\.jar\?.|| [a-z0-9]{4}\.jnlp\?.)


I was wondering if anyone knows any other IoCs which could be used to pinpoint potential redkit infections or as a starting point hone in on suspicious sessions which can then be narrowed down with additional drills?