This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcement Banner

Users are unable to open Netwitness Support Cases via email. Please open support cases via portal or by phone

View Details
  • NetWitness Community
  • Blog
  • February 2022 Installment of the NetWitness Threat Research Intelligence & Content Update

February 2022 Installment of the NetWitness Threat Research Intelligence & Content Update

Will_G
Frequent Contributor Will_G Frequent Contributor
Frequent Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2022-03-01 04:52 PM

Introduction 

 

Welcome to the February 2022 installment of the NetWitness Threat Research Intelligence & Content update. Our intention is to produce a monthly retroactive roll-up that outlines what is new, and what has changed within NetWitness Threat Intelligence Content across our portfolio.  

 

More frequent communications will occur as events related to threat actor activity – their patterns of behavior, their tooling & infrastructure, their attacks, their operations, and their campaigns become available. The following points will factor into the frequency of such communications. However, other considerations may influence our communication cadence as well:   

  • The subject and nature of the event(s) 
  • The severity and global relevance/impact of the event(s) 
  • The threat actors/adversaries associated with the event(s) 
  • Our evolving understanding of the events and the actors along with the salient details related to them  
  • Our ability to address them via machine readable threat intelligence (MRTI) content resulting in advanced detection capabilities  
  • Our readiness to divulge and publish 

As we continue this effort throughout the year, we believe that we will demonstrate what has made NetWitness unique among its peers in industry throughout the world historically, in addition to what separates us from our peers today.  Our threat research intelligence content has historically differentiated us from our competitors. There is zero question in our minds that it remains a key differentiator for us and our customers. We are committed to seeing it evolve while we once again take our place among the industry’s luminaries with an authoritative voice and position. Our content will continue to mature -- becoming more intelligently packaged than in previous periods of our history. These bundles will aid our customers in spending their time where it matters most – on monitoring for and responding to threats once they are detected while continually increasing their visibility across their network environments both on and off premise.  

 

Critical to our success will be the increasing efforts in both alignment and execution with the NetWitness Global Incident Response Practice. Together, we believe that we represent a formidable capability and threat to adversaries threatening the risk postures of our customers and clients the world over. Our commitment to collaboration fueled by our passion for the work that we do has brought to bear a new era that will see us operating in a symbiotic fashion for the betterment of our business and most importantly our customers. Lastly, we would like to share that the format and nature of this monthly update will change over time, so please do not be alarmed if you see evolutions on this front as well.  We are excited to have you join us on this journey and believe that together we can work towards a safer, more secure tomorrow.  

 

Content Within NetWitness LIVE !...a Quick Refresher

 

Within the NetWitness LIVE! platform there are two (2) functional repositories where content is uploaded and stored for use by our customers. The first, labeled today as ‘RSA’ is where all production grade content that is and has been created by our teams is uploaded and curated over time. This content is the result of internal research work yielding actionable machine-readable content that includes:  

  • Application rules 
  • Packet parsers  
  • Netwitness Reports 
  • Event Stream Analysis (ESA) Rules 
  • Feeds 
  • Packs/Bundles  

The second repository found in the NetWitness LIVE! is labeled today as ‘COMMUNITY’[BETA]. There exist two (2) principal categories of content contained within this repository today. The first is content category is content that is created by members of the NetWitness community who elect to share it with their peers via NetWitness LIVE! These community members may include NetWitness employees who are not members of the threat research and intelligence team, partners, or customers. Additional differentiators between this type of content and production content are that it is not rigorously assessed and/or quality assurance assessed in the same way that production content is prior to it being uploaded and made available for consumption within the NetWitness LIVE! platform. Furthermore, today certain types of open-source content may be found within the ‘COMMUNITY’[BETA] repository. This repository may include all the previously mentioned types of content in addition to content other forms such as YARA Rules.  
 

During the month of February, the NetWitness Threat Research Intelligence team kicked off an initiative that focuses on content hygiene. Work within this initiative centers on assessing all current threat research and intelligence content for the following:  

  • Logic  
  • Efficacy/effectiveness  
  • Relevance 
  • Age  
  • Dependencies 

This initiative is scheduled to run through the month of March 2022, and upon conclusion will see an announcement communicated to NetWitness customers that specifies which pieces of content have been identified and selected for End of Life (EoL)/deprecation along with other relevant data such as date(s) when such changes will be made and finalized.  

 

Production Content: Adjustments to Pre-Existent Content 

 

During the month of February 2022,  the following example of pre-existing content has been adjusted for better detection and support of the following: 

 

Packet Parsers  

 

Proxy_Block_Page 

 

Parses proxy denied exception pages. Registers the url that was requested and the reason for denial.  Blue Coat and Palo Alto are currently supported. Extraction of 'username' is supported for Palo Alto only, not Blue Coat.  Customized exception pages may not be detected and parsed. 

 

Production Content: New  

 

During the month of February 2022, we released the following new pieces of content. These new additions fell into two categories: application rules (apprules), and event stream analysis (ESA) rules.  

 

Application Rules  

 

InstallerFileTakeover File Create Event 

 

Detects signs of a Local Privilege Escalation CVE-2021-41379/CVE-2021-43883 via InstallerFileTakeover exploit that include a msiexec process 

 

InstallerFileTakeover Privilege Escalation POC 

 

Detection for Windows Installer Privilege Escalation POC(CVE-2021-41379) released by Abdelhamid Naceri 

 

GCP - Firewall rule modified 

 

This rule detects important changes done to firewall configuration within a GCP Account. 

 

GCP - VPC modified 

 

This rule detects important changes done to VPC configuration within a GCP Account. 

 

GCP - Unauthorized account activity 

 

This rule detects Unauthorized Operations in a GCP Account 

 

AWS - Security group or network acl modified 

 

This rule detects important changes done to security groups or network acls within an AWS Account. 

 

AWS - Network route modified 

 

This rule detects important changes done to network routes, which includes local, vpn, transit gateway routes within an AWS Account. 

 

AWS - VPC flow logs modified 

 

This rule detects important changes done to VPC Flow Logs within an AWS Account. 

 

GCP - Admin privileges to service account 

 

This rule triggers when admin or service owner privileges are assigned to a service account by a user entity in a GCP Account.

 

GCP - Multiple vm instances created 

 

This rule triggers when 5 or more vm instances are launched within a single request by a single user entity in a GCP Account. 

 

GCP - Critical changes to logging 

 

This rule detects critical changes done to Pub/Sub or Logging Sources within a GCP Account. 

 

AWS - VPC modified 

 

This rule detects important changes done to VPC and its configurations within an AWS Account. 

 

Known BazarLoader GET Request 

 

BazarLoader (Also known as Baza, BazaLoader) is a fileless malware thought to be developed by the same group responsible for TrickBot. This particular backdoor employs a diverse set of delivery mechanisms including but not limited to exe files, macro enabled windows documents, and compromised installers. This rule helps to detect BazarLoader C2 Communication. 

 

GCP - Network route modified 

 

This rule detects important changes done to Network Route Configuration within a GCP Account 

 

Event Stream Analysis (ESA) Rules  

 

GCP - Multiple service accounts created within a short period of time 

 

This rule triggers when the specified number of Service Accounts are created within the specified amount of time, in a GCP Account. 

 

GCP - Buckets enumerated 

 

This rule triggers when specified number of buckets are listed by a single user entity within the specified amount of time, in a GCP Account. Please note that Admin Read Permission needs to be enabled within Audit Logging for Google Cloud Storage for this detection to work. 

 

GCP - Multiple custom roles deleted within a short period of time 

 

This rule triggers when the specified number of Custom IAM Roles are deleted within the specified amount of time, in a GCP Account. 

 

GCP - Mass copy objects 

 

This rule triggers when specified number of storage objects are copied by a single user entity within the specified amount of time, in a GCP Account. Please note that Data Read & Data Write Permissions needs to be enabled within Audit Logging for Google Cloud Storage for this detection to work. 

 

GCP - Multiple custom roles created within a short period of time 

 

This rule triggers when the specified number of Custom IAM Roles are created within the specified amount of time, in a GCP Account. 

 

GCP - Multiple service account keys created within a short period of time 

 

This rule triggers when the specified number of service account keys are created within the specified amount of time, in a GCP Account. 

 

GCP - Mass copy objects 

 

This rule triggers when specified number of storage objects are copied by a single user entity within the specified amount of time, in a GCP Account. Please note that Data Read & Data Write Permissions needs to be enabled within Audit Logging for Google Cloud Storage for this detection to work 

 

GCP - Multiple custom roles created within a short period of time 

 

This rule triggers when the specified number of Custom IAM Roles are created within the specified amount of time, in a GCP Account. 

 

GCP - Multiple service account keys created within a short period of time 

 

This rule triggers when the specified number of service account keys are created within the specified amount of time, in a GCP Account.

 

GCP - Multiple API services modified within a short period of time 

 

This rule triggers when the specified number of API Service Endpoints are modified within the specified amount of time, in a GCP Account. 

 

GCP - Mass delete objects 

 

This rule triggers when specified number of storage objects are deleted by a single user entity within the specified amount of time, in a GCP Account. Please note that Data Read & Data Write Permissions needs to be enabled within Audit Logging for Google Cloud Storage for this detection to work. 

 

GCP - Multiple project ownership invites created within a short period of time 

 

This rule triggers when the specified number of invites are sent out for project ownership within the specified amount of time, in a GCP Account. 

 

GCP - Multiple service accounts deleted within a short period of time 

 

This rule triggers when the specified number of Service Accounts are deleted within the specified amount of time, in a GCP Account. 

 

GCP - Multiple vm instances created in multiple zones within a short period of time 

 

This rule triggers when the specified number of VM instances are created in multiple zones within the specified amount of time, in a GCP Account. 

 

GCP - Multiple vm instances created within a short period of time 

 

This rule triggers when the specified number of VM instances are created within the specified amount of time, in a GCP Account. 

 

GCP - Multiple vm instances deleted within a short period of time 

 

This rule triggers when the specified number of VM instances are deleted within the specified amount of time, in a GCP Account. 

 

Community 

 

Application Rules  

Log4J Exploit Attempt 

 

To detect Log4j exploit attempt that can lead to RCE(CVE-2021-44228) via web requests. 

 

SysJoker Persistence 

 

SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. This endpoint appule reports when SysJoker creates persistence by adding an entry to the registry run key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run in Windows. 

 

SysJoker Backdoor Detected 

 

 

SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. This endpoint app rule reports files and folders created by the SysJoker malware in Microsoft Windows. It creates the C:\ProgramData\SystemData\ directory and copy itself under this directory, masquerading as igfxCUIService.exe (igfxCUIService stands for Intel Graphics Common User Interface Service). 

 

Open-Source Content  

 

Malware, Malicious Code and APT Open Source YARA Rules

 

The following corpus of YARA rules focus on the detection, identification, and analysis of various forms and types of malicious code & content (malware) and in some cases those threat actors/adversaries associated with their use and proliferation. These YARA rules have been collected from the open-source community and are being made available to our customers via our NetWitness Live Community capability. 

Labels:
  • Announcements
  • announcements
  • content updates
  • NetWitness LIVE!
  • Threat Research Intelligence Content
  • what's new
1 Like
Share
5 Comments

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.