NetWitness Community

RSAAdmin · ‎2014-04-29

Good morning Community! I wanted to post a quick note letting folks know that that the research and content teams have been aware of the IE vulnerability released by FireEye since the weekend. We have been determining how best to address the issue via content. Early reports were not very detailed around the specifics of the exploit, but as we collect more information and develop mechanisms for detecting the vulnerability, updates will start to come across the wire.

Stay tuned,

Michael Scott Shreve, Pragmatic PMC-3

Product Manager | RSA Threat Intelligence

T: 571.392.6186

M: 703.853.6455

RSAAdmin · ‎2014-04-29

Good evening Community! We have a few pieces of content to help you identify instances of this 0-day.

Indicators have been loaded into the “third party indicators” feeds (Third Party IOC IPs and Third Party IOC Domains), and can be located using the following app rule:

name=ie-zero-day-04-14 rule="threat.source = \"third party publicized iocs\" && threat.desc begins \"zero day cve-2014-

1776\"" order=21 alert=risk.warning type=application

Happy hunting!

Anonymous · ‎2014-05-01

Saving this as nwr file and Importing throws errors.

Does this condition look good for searching in Investigator.

threat.source = ‘third party publicized iocs’ && threat.desc begins ‘zero day cve-2014-1776’

RSAAdmin · ‎2014-05-01

Try this Praveen

NetWitness Community

Latest IE 0 Day