This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Phase II Content Hygiene Initiative Complete: EDR (Endpoint) Application Rule Hygiene Initiative

Will_G
Moderator Moderator
Moderator
‎2022-10-18 11:11 AM

Introduction

 

As part of a larger content hygiene initiative begun earlier this year, we have concluded the second phase which focused exclusively on EDR (endpoint) application rules. During phase II of this initiative, special emphasis was placed on the following:

  • Contextual clarity – in titling / labeling, tagging, and descriptive language
  • Logical clarity and accuracy  -- in terms of the rule logic itself and its intended (designed) outcome
  • Intended / expected behavior of the rule logic upon triggering
  • Consolidation – where and when necessary or advantageous to our user community

What Took Place

 

During Phase II we focused exclusively on application rules related to our EDR (Endpoint) offering. We examined 514 rules to ensure that our current and prospective endpoint customers experience the highest degree of quality. As a result, we modified (logically and contextually)  468 rules (90 of which have been renamed to remove any ambiguity previously associated with them) and elected to remove 23 from our content corpus due to issues associated with quality, effectiveness, and overarching performance.

 

Important changes of note include, but are not limited to the following rules:

 

Original Rule Name

Renamed To

Adds Firewall Rule

Adds Windows Firewall Rule

Allocates Remote Memory

Allocates Remote Memory on MacOS

Antivirus Disabled

Windows Antivirus Disabled

Autorun Unsigned BHO

Autorun Unsigned Browser Helper Object

Builds Script Incrementally

Enacts Script Like Behavior

Combines Binaries Using Command Prompt

Runs Commands Using Multiple Binaries

Command Shell Copy Items

Cmd or Powershell Copy Items Recursively

Command Shell Runs Rundll32

Cmd or Powershell Runs RunDLL32 with No Arguments

Creates Browser Extension

Unsigned MacOS File Creates Browser Extension

Creates Remote Process Using WMI Command-Line Tool

Creates Remote Process Using WMIC

Deletes Firewall Rule

Deletes Windows Firewall Rule

Dyld Inserted

Dynamic MacOS Library Loaded

Execute DLL Through Rundll32

Unsigned DLL Executed Through Rundll32

Gets Current Username

Enumerates User Logged On The Local System

Gets Hostname

Enumerates Hostname of Local System

LD Preload

Potential Dynamic Linker Hijack Using LD Preload

Login Bypass Configured

Login Bypass Configured Using Accessibility Feature

Non-Microsoft Modifies Bad Certificate Warning Setting

Modifies Windows Certificate Warning Setting

Non-Microsoft Modifies Firewall Policy

Modifies Windows Firewall Registry Setting

Non-Microsoft Modifies Internet Zone Setting

Modifies Windows Internet Zone Setting

Non-Microsoft Modifies LUA Setting

Modifies Windows Limited User Account Setting

Non-Microsoft Modifies Registry Editor Setting

Modifies Windows Registry Editor Setting

Non-Microsoft Modifies Security Center Config

Modifies Windows Security Center Config

Non-Microsoft Modifies Services ImagePath

Modifies Windows Services Imagepath

Non-Microsoft Modifies Task Manager Setting

Modifies Windows Task Manager Registry Setting

Non-Microsoft Modifies Windows System Policy

Modifies Windows System Policy

Non-Microsoft Modifies Zone Crossing Warning Setting

Modifies Windows Zone Crossing Setting

Opens Browser Process

Non-Apple Signed File Opens Browser Process

OS Process Runs Command Shell

Windows Executable Runs Command Shell

Packed

Packed Linux or Mac File

Packed And Autorun

Autorun Packed File on MacOS

Packed And Network Access

Packed File Network Access on MacOS

Performs Scripted File Transfer

Executes FTP Commands using Input Text File

Possibly Configures UAC Bypass

Potential Windows User Account Control Bypass

Powershell Injects Remote Process

Powershell Creates Remote Process

Process Authorized In Firewall

Process Authorized In Windows Firewall

Psexesvc Runs Shell Commands

Psexesvc Runs Windows Command Shell

Queries Cached Kerberos Tickets

Lists Cached Kerberos Tickets

Queries Registry Using Command-Line Registry Tool

Queries Registry using reg.exe

Queries Terminal Sessions

Queries Terminal Sessions Using Qwinsta.exe

Queries Users Logged On Local System

Queries Users Logged On Local Windows System

Queries Users Logged On Remote System

Queries Users Logged On Remote Windows System

RDP Launching Loopback Address

Launches RDP over SSH Tunnel

Record Screen Captures Using PSR Tool

Windows Problem Steps Recorder Command-Line Execution

Remote Directory Traversal

Lists Directory Structure of a Path

Runkey Persistence

Unsigned File Creates Run Key

Runs Binary Located In Recycle Bin Directory

Runs Binary from Windows Recycle Bin

Runs Chmod

Runs Chmod on MacOS

Runs Curl

Runs Curl on MacOS

Runs Ditto

Runs Ditto on MacOS

Runs Ifconfig

Runs Ifconfig on MacOS

Runs Kextload

Runs Kextload on MacOS

Runs Kextstat

Runs Kextstat on MacOS

Runs Launchctl

Runs Launchctl on MacOS

Runs Netstat

Runs Netstat on MacOS

Runs Network Connectivity Tool

Runs Remote System Discovery Tool

Runs Ping

Runs Ping on MacOS

Runs Ps

Runs Process Status Command on MacOS

Runs Remote Execution Tool

Runs Windows SysInternal PsExec Tool

Runs Remote Powershell Command

Runs Powershell Commands on Remote Computer

Runs robocopy.exe

Replicates Files using Robust File Copy

Runs Rundll32 Using One Letter DLL

Rundll32 Executes Single Character DLL

Runs Sh

Runs Shell Script Utility on MacOS

Runs Tar

Runs Tar Utility on MacOS

Runs Unzip

Runs Unzip Utility on MacOS

Scripting Engine Injects Remote Process

Scripting Engine Creates Remote Thread

Self Signed

Self-Signed MacOS Certificate

Starts RDP Service

Starts Remote Desktop Services

Suspicious REGSVR32.EXE Task

Suspicious Regsvr32 Task

Unsigned Copies Self

Unsigned MacOS File Replicates Itself

Unsigned Creates Remote Thread

Unsigned Windows File Creates Remote Thread

Unsigned Creates Remote Thread And File Hidden

Unsigned Hidden Windows File Creates Remote Thread

Unsigned Cron Job

Unsigned Cron Job on MacOS

Unsigned Deletes Self

Unsigned File Deletes Self on MacOS

Unsigned Kext

Unsigned Kext File on MacOS

Unsigned Module In Signed Process

Unsigned Module In Signed Process on MacOS

Unsigned Runs Python

Unsigned File Runs Python on MacOS

Uses LibNSS

Non-System Linux File Uses NSS Library

Uses LibPCAP

Non-System Linux File Uses PCAP Library

Windows Task Runs Powershell

Windows Task Scheduler Engine Runs Powershell

Wmiprvse Runs Command Shell

Wmiprvse Runs Cmd or Powershell

Installs Root Certificate

Installs Root Certificate on Windows

Scripting Addition In Process

Scripting Addition In Process on MacOS

System Integrity Protection Disabled

MacOS System Integrity Protection Disabled

Unknown Segment

Unknown Segment Within a File on MacOS

Unsigned Writes Executable

Unsigned File Writes Executable on MacOS

Unsigned Writes To Autorun

Unsigned File Creates Autorun on MacOS

Uses Mach Injection

File Uses Mach Injection on MacOS

Uses Mach Override

File Uses Mach Override on MacOS

Opens OS Process

Non-Apple Signed File Opens OS Process

 

These EDR application rules can found at live.netwitness.com.  For more information on this initiative, and any changes/alterations please feel to reach out to your sales and customer success teams.

Labels:
© 2022 RSA Security LLC or its affiliates. All rights reserved.