This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Blog
- Phase II Content Hygiene Initiative Complete: EDR (Endpoint) Application Rule Hygiene Initiative
Will_G
Moderator
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
2022-10-18
11:11 AM
Introduction
As part of a larger content hygiene initiative begun earlier this year, we have concluded the second phase which focused exclusively on EDR (endpoint) application rules. During phase II of this initiative, special emphasis was placed on the following:
- Contextual clarity – in titling / labeling, tagging, and descriptive language
- Logical clarity and accuracy -- in terms of the rule logic itself and its intended (designed) outcome
- Intended / expected behavior of the rule logic upon triggering
- Consolidation – where and when necessary or advantageous to our user community
What Took Place
During Phase II we focused exclusively on application rules related to our EDR (Endpoint) offering. We examined 514 rules to ensure that our current and prospective endpoint customers experience the highest degree of quality. As a result, we modified (logically and contextually) 468 rules (90 of which have been renamed to remove any ambiguity previously associated with them) and elected to remove 23 from our content corpus due to issues associated with quality, effectiveness, and overarching performance.
Important changes of note include, but are not limited to the following rules:
|
Original Rule Name |
Renamed To |
|
Adds Firewall Rule |
Adds Windows Firewall Rule |
|
Allocates Remote Memory |
Allocates Remote Memory on MacOS |
|
Antivirus Disabled |
Windows Antivirus Disabled |
|
Autorun Unsigned BHO |
Autorun Unsigned Browser Helper Object |
|
Builds Script Incrementally |
Enacts Script Like Behavior |
|
Combines Binaries Using Command Prompt |
Runs Commands Using Multiple Binaries |
|
Command Shell Copy Items |
Cmd or Powershell Copy Items Recursively |
|
Command Shell Runs Rundll32 |
Cmd or Powershell Runs RunDLL32 with No Arguments |
|
Creates Browser Extension |
Unsigned MacOS File Creates Browser Extension |
|
Creates Remote Process Using WMI Command-Line Tool |
Creates Remote Process Using WMIC |
|
Deletes Firewall Rule |
Deletes Windows Firewall Rule |
|
Dyld Inserted |
Dynamic MacOS Library Loaded |
|
Execute DLL Through Rundll32 |
Unsigned DLL Executed Through Rundll32 |
|
Gets Current Username |
Enumerates User Logged On The Local System |
|
Gets Hostname |
Enumerates Hostname of Local System |
|
LD Preload |
Potential Dynamic Linker Hijack Using LD Preload |
|
Login Bypass Configured |
Login Bypass Configured Using Accessibility Feature |
|
Non-Microsoft Modifies Bad Certificate Warning Setting |
Modifies Windows Certificate Warning Setting |
|
Non-Microsoft Modifies Firewall Policy |
Modifies Windows Firewall Registry Setting |
|
Non-Microsoft Modifies Internet Zone Setting |
Modifies Windows Internet Zone Setting |
|
Non-Microsoft Modifies LUA Setting |
Modifies Windows Limited User Account Setting |
|
Non-Microsoft Modifies Registry Editor Setting |
Modifies Windows Registry Editor Setting |
|
Non-Microsoft Modifies Security Center Config |
Modifies Windows Security Center Config |
|
Non-Microsoft Modifies Services ImagePath |
Modifies Windows Services Imagepath |
|
Non-Microsoft Modifies Task Manager Setting |
Modifies Windows Task Manager Registry Setting |
|
Non-Microsoft Modifies Windows System Policy |
Modifies Windows System Policy |
|
Non-Microsoft Modifies Zone Crossing Warning Setting |
Modifies Windows Zone Crossing Setting |
|
Opens Browser Process |
Non-Apple Signed File Opens Browser Process |
|
OS Process Runs Command Shell |
Windows Executable Runs Command Shell |
|
Packed |
Packed Linux or Mac File |
|
Packed And Autorun |
Autorun Packed File on MacOS |
|
Packed And Network Access |
Packed File Network Access on MacOS |
|
Performs Scripted File Transfer |
Executes FTP Commands using Input Text File |
|
Possibly Configures UAC Bypass |
Potential Windows User Account Control Bypass |
|
Powershell Injects Remote Process |
Powershell Creates Remote Process |
|
Process Authorized In Firewall |
Process Authorized In Windows Firewall |
|
Psexesvc Runs Shell Commands |
Psexesvc Runs Windows Command Shell |
|
Queries Cached Kerberos Tickets |
Lists Cached Kerberos Tickets |
|
Queries Registry Using Command-Line Registry Tool |
Queries Registry using reg.exe |
|
Queries Terminal Sessions |
Queries Terminal Sessions Using Qwinsta.exe |
|
Queries Users Logged On Local System |
Queries Users Logged On Local Windows System |
|
Queries Users Logged On Remote System |
Queries Users Logged On Remote Windows System |
|
RDP Launching Loopback Address |
Launches RDP over SSH Tunnel |
|
Record Screen Captures Using PSR Tool |
Windows Problem Steps Recorder Command-Line Execution |
|
Remote Directory Traversal |
Lists Directory Structure of a Path |
|
Runkey Persistence |
Unsigned File Creates Run Key |
|
Runs Binary Located In Recycle Bin Directory |
Runs Binary from Windows Recycle Bin |
|
Runs Chmod |
Runs Chmod on MacOS |
|
Runs Curl |
Runs Curl on MacOS |
|
Runs Ditto |
Runs Ditto on MacOS |
|
Runs Ifconfig |
Runs Ifconfig on MacOS |
|
Runs Kextload |
Runs Kextload on MacOS |
|
Runs Kextstat |
Runs Kextstat on MacOS |
|
Runs Launchctl |
Runs Launchctl on MacOS |
|
Runs Netstat |
Runs Netstat on MacOS |
|
Runs Network Connectivity Tool |
Runs Remote System Discovery Tool |
|
Runs Ping |
Runs Ping on MacOS |
|
Runs Ps |
Runs Process Status Command on MacOS |
|
Runs Remote Execution Tool |
Runs Windows SysInternal PsExec Tool |
|
Runs Remote Powershell Command |
Runs Powershell Commands on Remote Computer |
|
Runs robocopy.exe |
Replicates Files using Robust File Copy |
|
Runs Rundll32 Using One Letter DLL |
Rundll32 Executes Single Character DLL |
|
Runs Sh |
Runs Shell Script Utility on MacOS |
|
Runs Tar |
Runs Tar Utility on MacOS |
|
Runs Unzip |
Runs Unzip Utility on MacOS |
|
Scripting Engine Injects Remote Process |
Scripting Engine Creates Remote Thread |
|
Self Signed |
Self-Signed MacOS Certificate |
|
Starts RDP Service |
Starts Remote Desktop Services |
|
Suspicious REGSVR32.EXE Task |
Suspicious Regsvr32 Task |
|
Unsigned Copies Self |
Unsigned MacOS File Replicates Itself |
|
Unsigned Creates Remote Thread |
Unsigned Windows File Creates Remote Thread |
|
Unsigned Creates Remote Thread And File Hidden |
Unsigned Hidden Windows File Creates Remote Thread |
|
Unsigned Cron Job |
Unsigned Cron Job on MacOS |
|
Unsigned Deletes Self |
Unsigned File Deletes Self on MacOS |
|
Unsigned Kext |
Unsigned Kext File on MacOS |
|
Unsigned Module In Signed Process |
Unsigned Module In Signed Process on MacOS |
|
Unsigned Runs Python |
Unsigned File Runs Python on MacOS |
|
Uses LibNSS |
Non-System Linux File Uses NSS Library |
|
Uses LibPCAP |
Non-System Linux File Uses PCAP Library |
|
Windows Task Runs Powershell |
Windows Task Scheduler Engine Runs Powershell |
|
Wmiprvse Runs Command Shell |
Wmiprvse Runs Cmd or Powershell |
|
Installs Root Certificate |
Installs Root Certificate on Windows |
|
Scripting Addition In Process |
Scripting Addition In Process on MacOS |
|
System Integrity Protection Disabled |
MacOS System Integrity Protection Disabled |
|
Unknown Segment |
Unknown Segment Within a File on MacOS |
|
Unsigned Writes Executable |
Unsigned File Writes Executable on MacOS |
|
Unsigned Writes To Autorun |
Unsigned File Creates Autorun on MacOS |
|
Uses Mach Injection |
File Uses Mach Injection on MacOS |
|
Uses Mach Override |
File Uses Mach Override on MacOS |
|
Opens OS Process |
Non-Apple Signed File Opens OS Process |
These EDR application rules can found at live.netwitness.com. For more information on this initiative, and any changes/alterations please feel to reach out to your sales and customer success teams.
Labels:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Latest Articles
- Using NetWitness to Detect Phishing reCAPTCHA Campaign
- Netwitness Platform Integration with Amazon Elastic Kubernetes Service
- Netwitness Platform Integration with MS Azure Sentinel Incidents
- Netwitness Platform Integration with AWS Application Load Balancer Access logs
- The Sky Is Crying: The Wake of the 19 JUL 2024 CrowdStrike Content Update for Microsoft Windows and ...
- The Sky Is Crying: The Wake of the 19 JUL 2024 CrowdStrike Content Update for Microsoft Windows and ...
- New HotFix: Addresses Kernel Panic After Upgrading to 12.4.1
- Automation with NetWitness: Core and NetWitness APIs
- HYDRA Brute Force
- DDoS using BotNet Use Case
Labels
-
Announcements
64 -
Events
12 -
Features
12 -
Integrations
15 -
Resources
68 -
Tutorials
32 -
Use Cases
31 -
Videos
119
