This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Profiling Attackers Series

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor
‎2020-04-01 11:17 AM

I have recently been posting a number of blogs regarding the usage of the RSA NeWitness Platform to detect attackers within your environment. As the list of the blogs grow, it is becoming increasingly difficult to navigate through them easily. In order to combat this, this blog post will contain references to all other blog posts in the Profiling Attackers Series, and will be updated when new posts are made.

 

 

 

Command and Control
Using RSA NetWitness to Detect Command and Control: PoshC2
Detecting Command and Control in RSA NetWitness: PowerShell Empire
Detecting Command and Control in RSA NetWitness: Koadic
Detecting Command and Control in RSA NetWitness: Metasploit
Detecting Command and Control in RSA NetWitness: Cobalt Strike
https://community.rsa.com/community/products/netwitness/blog/2019/12/02/using-rsa-netwitness-to-detect-command-and-control-poshc2-v50 
https://community.rsa.com/community/products/netwitness/blog/2019/12/06/using-rsa-netwitness-to-detect-cc-weasel 
https://community.rsa.com/community/products/netwitness/blog/2019/12/18/using-rsa-netwitness-to-detect-cc-reversetcp-shell 
https://community.rsa.com/community/products/netwitness/blog/2019/12/20/using-rsa-netwitness-to-detect-cc-covenant (Guest Blogger: Chris Thomas)
Using the RSA NetWitness Platform to Detect C&C: goDoH
https://community.rsa.com/community/products/netwitness/blog/2020/01/10/detecting-dns-tunneling-in-rsa-netwitness-dns2tcp (Guest Blogger: Marco Faggian‌)
Throwback C2 Thursday
Using RSA NetWitness to Detect HTTP Asynchronous Reverse Shell (HARS)
https://community.rsa.com/community/products/netwitness/blog/2020/05/14/using-rsa-netwitness-to-detect-chaos-c2 

 

Lateral Movement
Detecting Lateral Movement in RSA NetWitness: WMI
Detecting Lateral Movement in RSA NetWitness: Winexe
Detecting Lateral Movement in RSA NetWitness: Smbexec
Using the RSA NetWitness Platform to Detect Lateral Movement: SCShell (DCE/RPC)

 

Persistence
Web Shells and RSA NetWitness
Web Shells and NetWitness Part 2
Web Shells and RSA NetWitness Part 3
Using RSA NetWitness to Detect Credential Harvesting: lsassy

 

 

RATs
https://community.rsa.com/community/products/netwitness/blog/2020/05/26/using-rsa-netwitness-to-detect-quasarrat 
Using RSA NetWitness to Detect Void-RAT

 

Special thanks to Rui Ataide for his support and guidance for these posts.

1 Comment
© 2022 RSA Security LLC or its affiliates. All rights reserved.