RSA Application Rules

Document created by RSA Information Design and Development Employee on Feb 14, 2020
Version 1Show Document
  • View in full screen mode
 

The following table lists all of the delivered RSA Application Rules.

For syntax and examples for application rules, see Application Rules Cheat Sheet.

Note: For content that has been discontinued, see Discontinued Content.

If you want to view only Endpoint application rules, click here: RSA Application Rules for Endpoint.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
Display NameFile NameDescriptionMediumTag
Accesses Administrative Share Using Command Shellaccesses_administrative_share_using_command_shellAccessing administrative share using command shell can be an indicator of someone trying for lateral movement or privilege escalation by using hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. This rule is supported for Windows 8 and higher versions.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = accesses administrative share using command shell
endpoint"lateral movement":"windows admin shares"
Activates BITS Jobactivates_bits_jobBackground Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = activates bits job
endpoint"lateral movement":"remote file copy"
Adds Files To BITS Download Jobadds_files_to_bits_download_jobBackground Intelligent Transfer Service (BITS) is a Windows component used to transfer files. It has commonly been used for malware distribution.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* ioc = adds files to bits download job
endpoint"lateral movement":"remote file copy"
Adds Firewall Ruleadds_firewall_ruleAdding firewall rule can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = adds firewall rule
endpoint"defense evasion":"disabling security tools"
Allocates Remote Memoryallocates_remote_memoryIn Mac, a process not signed by Apple has allocated memory in another process. Most allocations will only occur within the same process and by processes signed by Apple. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = allocates remote memory
endpoint"defense evasion":"process injection", "privilege escalation":"process injection"
Antivirus Disabledantivirus_disabledDisabling antivirus can be a indication of someone trying to compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine incident occurred.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* eoc = antivirus disabled
endpoint"defense evasion":"disabling security tools"
Archive Extension Mismatchnw20080Creates meta when an archive file is detected without an archive file extension.

VERSIONS SUPPORTED
* 10.5 and higher

DEPENDENCIES
Lua Parsers:
* fingerprint_zip
* fingerprint_gzip
* fingerprint_7zip
* fingerprint_rar_lua
Feeds:
* investigation

GENERATED META KEYS
* alert.id = 'nw20080'
* analysis.session = 'archive extension mismatch'
packet"defense evasion":"masquerading"
Archive From IP Addressnw20085archive directly from an ip address with no corresponding alias.host meta. Often indicative of a second stage tool download after a foothold has been established.packet"command and control":"remote file copy"
Archiving Software Reads Multiple Documentsarchiving_software_reads_multiple_documentsMultiple documents read could be an indication of someone creating a large archive.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = archiving software reads multiple documents
endpoint"exfiltration":"data compressed"
Attachment Overloadnw00005Rule looks for more than 4 attachme