Appendix A: Endpoint Risk Scoring Rules

Endpoint risk scoring requires the following content:

"accesses administrative share using command shell"
"activates bits job"
"adds files to bits download job"
"adds firewall rule"
"allocates remote memory"
"antivirus disabled"
"archiving software reads multiple documents"
"autorun debian package mismatch"
"autorun file path not part of debian package"
"autorun file path not part of rpm"
"autorun key contains non-printable characters"
"autorun"
"autorun rpm mismatch"
"autorun unsigned active setup"
"autorun unsigned appinit_dlls"
"autorun unsigned bho"
"autorun unsigned bootexecute registry startup method"
"autorun unsigned explorer registry startup method"
"autorun unsigned hidden"
"autorun unsigned hidden only executable in directory"
"autorun unsigned ie toolbar"
"autorun unsigned in appdatalocal directory"
"autorun unsigned in appdataroaming directory"
"autorun unsigned in programdata directory"
"autorun unsigned in temp directory"
"autorun unsigned logontype registry startup method"
"autorun unsigned lsa provider"
"autorun unsigned servicedll"
"autorun unsigned winlogon helper dll"
"autorun unsigned winsock lsp"
"bad certificate warning disabled"
"blacklisted file"
"browser runs command prompt"
"browser runs mshta"
"browser runs powershell"
"builds script incrementally"
"clears application event log"
"clears event logs using powershell"
"clears security event log"
"clears setup event log"
"clears system event log"
"combines binaries using command prompt"
"command line usage of archiving software"
"command line writes script files"
"command prompt obfuscation"
"command prompt obfuscation using value extraction"
"command shell runs rundll32"
"completes bits download job"
"configures image hijacking"
"configures port redirection"
"copies binary over administrative share"
"created in last month"
"creates browser extension"
"creates domain user account"
"creates executable in startup directory"
"creates local driver service"
"creates local service"
"creates local task"
"creates local user account"
"creates password-protected archive"
"creates recursive archive"
"creates remote process using wmi command-line tool"
"creates remote service"
"creates remote task"
"creates run key"
"creates shadow volume for logical drive"
"creates suspicious service running command prompt"
"debian package hash mismatch in important system directory"
"debian package hash mismatch"
"deletes backup catalog"
"deletes firewall rule"
"deletes shadow volume copies"
"deletes shadow volume copies using powershell"
"deletes usn change journal"
"disables event logging service"
"disables firewall"
"disables safe mode"
"disables security service"
"disables startup repair"
"disables uac"
"disables uac remote restrictions"
"disables windows audit policy"
"disables windows defender using powershell"
"downloads binary using certutil"
"drops credential dumping tools"
"dumps dns cache"
"dyld inserted"
"enables cleartext credential storage"
"enables login bypass"
"enables rdp from command-line"
"enables safe mode"
"enumerates arp table"
"enumerates available systems on network"
"enumerates domain account policy"
"enumerates domain administrators"
"enumerates domain computers"
"enumerates domain controllers"
"enumerates domain groups"
"enumerates domain users"
"enumerates enterprise administrators"
"enumerates exchange domain servers"
"enumerates exchange servers"
"enumerates ip configuration"
"enumerates local account policy"
"enumerates local administrators"
"enumerates local administrators on domain controller"
"enumerates local groups"
"enumerates local services"
"enumerates local users"
"enumerates logical disk"
"enumerates mapped resources"
"enumerates network connections"
"enumerates primary domain controller"
"enumerates processes on local system"
"enumerates processes on remote system"
"enumerates remote netbios name table"
"enumerates remote resources"
"enumerates route table"
"enumerates services hosted in processes"
"enumerates system info"
"enumerates trusted domains"
"evades scanning within windows defender"
"evasive powershell used over network"
"event viewer executes uncommon binary"
"execute dll through rundll32"
"exports sensitive registry hive"
"extracts password-protected archive"
"file encrypted"
"file hidden"
"file path not part of debian package in important system directory"
"file path not part of debian package"
"file path not part of rpm in important system directory"
"file path not part of rpm"
"file vault disabled"
"floating module and hooking"
"floating module in browser process"
"floating module in os process"
"floating module"
"gatekeeper disabled"
"gets current user as system"
"gets current username and group information"
"gets current username"
"gets hostname"
"gets remote time"
"gina replacement"
"graylisted file"
"hidden and hooking"
"hidden in appdata"
"hidden plist and autorun"
"hidden running as root"
"hooks audio output function"
"hooks authentication function"
"hooks crypto function"
"hooks dnsquery function"
"hooks gui function"
"hooks network http function"
"hooks network io function"
"hooks ntldr function"
"hooks registry access function"
"hooks registry enumeration function"
"http daemon runs command prompt"
"http daemon runs powershell"
"http daemon runs reconnaissance tool"
"http daemon writes executable"
"ie dep disabled"
"ie enhanced security disabled"
"in appdata directory"
"in hidden directory"
"in recycle bin directory"
"in root of appdatalocal directory"
"in root of appdataroaming directory"
"in root of logical drive"
"in root of program directory"
"in root of users directory"
"installs root certificate"
"in system volume information directory"
"in temporary directory"
"in uncommon directory"
"invalid signature"
"kext signature validation disabled"
"lateral movement with credentials using net utility"
"ld preload"
"library preferences directory"
"lists anti-spyware products"
"lists antivirus products"
"lists firewall products"
"login bypass configured"
"lua disabled"
"mac firewall disabled"
"malicious file by reputation service"
"maps administrative share"
"maps ipc$ share"
"misleading file extension"
"modifies file associations"
"modifies image file execution for persistence"
"modifies registry using command-line registry tool"
"modifies run key"
"modifies shell-open-command file association"
"modifies startup folder location"
"modifies winlogon dll for persistence"
"modifies winlogon registry settings"
"mshta runs command prompt"
"mshta runs powershell"
"mshta runs scripting engine"
"mshta writes executable"
"network access"
"no antivirus notification disabled"
"no firewall notification disabled"
"non-microsoft modifies bad certificate warning setting"
"non-microsoft modifies firewall policy"
"non-microsoft modifies internet zone setting"
"non-microsoft modifies lua setting"
"non-microsoft modifies registry editor setting"
"non-microsoft modifies security center config"
"non-microsoft modifies services imagepath"
"non-microsoft modifies task manager setting"
"non-microsoft modifies windows system policy"
"non-microsoft modifies zone crossing warning setting"
"no uac notification disabled"
"no windows update notification disabled"
"office application crashed"
"office application injects remote process"
"office application runs bits"
"office application runs command prompt"
"office application runs powershell"
"office application runs scripted ftp"
"office application runs scripting engine"
"office application runs task scheduler"
"office application runs wmi scripting engine"
"office application writes executable"
"opens browser process"
"opens os process"
"opens process"
"opswat reported infected"
"opswat reported suspicious"
"os process runs command shell"
"packed and autorun"
"packed and network access"
"packed"
"performs scripted file transfer"
"possible login bypass"
"possible mimikatz activity"
"possible rdp session hijacking"
"possibly configures uac bypass"
"possibly renamed net.exe detected"
"potential abuse of odbcconf"
"potential outlook exploit"
"powershell command using string manipulation"
"powershell injects remote process"
"powershell opens lsass process"
"powershell runs command prompt"
"powershell runs scripting engine"
"process authorized in firewall"
"process redirects to stdout or stderr"
"process with matched yara rule"
"process with opswat reported infected"
"process with opswat reported suspicious"
"psexesvc runs powershell"
"psexesvc runs scripting engine"
"psexesvc runs shell commands"
"pubprn detection"
"queries cached kerberos tickets"
"queries processes on local system"
"queries processes on remote system"
"queries registry using command-line registry tool"
"queries terminal sessions"
"queries users logged on local system"
"queries users logged on remote system"
"record screen captures using psr tool"
"registers always install elevated policy"
"registers appcert dll"
"registers appinit dll"
"registers boot execute"
"registers lsa authentication package"
"registers lsa notification package"
"registers lsa security package"
"registers netsh helper dll"
"registers port monitor dll"
"registers shim database"
"registers startup during safe mode boot"
"registers time provider dll"
"registry tools disabled"
"regsvr32 creates windows task"
"regsvr32 runs powershell"
"regsvr32 runs rundll32"
"regsvr32 writes executable"
"remote directory traversal"
"removes windows defender definitions"
"rpm hash mismatch in important system directory"
"rpm hash mismatch"
"rpm ownership changed"
"rpm permissions changed"
"rundll32 creates windows task"
"rundll32 runs powershell"
"runkey persistence"
"runs acl management tool"
"runs active directory service query tool"
"runs binary located in recycle bin directory"
"runs binary located in root of logical drive"
"runs binary located in root of program directory"
"runs binary located in root of users directory"
"runs binary located in system volume information directory"
"runs blacklisted file"
"runs certutil with decode arguments"
"runs certutil with encode arguments"
"runs certutil with hashfile arguments"
"runs chained command shell"
"runs chmod"
"runs credential dumping tools"
"runs curl"
"runs ditto"
"runs dns lookup tool for txt record"
"runs dns lookup tool"
"runs file attributes modification tool"
"runs file transfer tool"
"runs forfiles.exe"
"runs graylisted file"
"runs ifconfig"
"runs kextload"
"runs kextstat"
"runs launchctl"
"runs malicious file by reputation service"
"runs mshta with http argument"
"runs mshta with script argument"
"runs msiexec with http argument"
"runs netstat"
"runs network configuration tool"
"runs network connectivity tool"
"runs one letter executable"
"runs one letter script"
"runs ping"
"runs powershell bypassing execution policy"
"runs powershell decoding base64 string"
"runs powershell defining function"
"runs powershell downloading content"
"runs powershell invoke-mimikatz function"
"runs powershell memory stream function"
"runs powershell"
"runs powershell shellexecute function"
"runs powershell using encoded command"
"runs powershell using environment variables"
"runs powershell with hidden window"
"runs powershell with http argument"
"runs powershell with long arguments"
"runs psexec on remote system and silently accepts user license"
"runs psexec on remote system as system user"
"runs ps"
"runs registry tool"
"runs regsvr32 com scriplets"
"runs regsvr32 using one letter dll"
"runs regsvr32 with http argument"
"runs regsvr32 without arguments"
"runs remote execution tool"
"runs remote powershell command"
"runs robocopy.exe"
"runs rundll32 using one letter dll"
"runs rundll32 with http argument"
"runs rundll32 with javascript argument"
"runs rundll32 without arguments"
"runs scripting engine in batch mode using execution engine argument"
"runs scripting engine"
"runs service control tool"
"runs shim database installer"
"runs sh"
"runs suspicious file by reputation service"
"runs tar"
"runs tasks management tool"
"runs unzip"
"runs waitfor.exe"
"runs wmi command-line tool"
"runs wmi scripting engine"
"runs xcopy.exe"
"safari fraud website warning disabled"
"scripting addition in process"
"scripting engine injects remote process"
"scripting engine runs powershell"
"scripting engine runs regsvr32"
"scripting engine runs rundll32"
"self signed"
"services in programdata directory"
"services runs command shell"
"smartscreen filter disabled"
"starts local service"
"starts rdp service"
"starts remote service"
"stops diagtrack service"
"stops error reporting service"
"stops security service"
"stops windows update service"
"sudo no password prompt"
"suspicious file by reputation service"
"suspicious regsvr32.exe task"
"system integrity protection disabled"
"system restore disabled"
"tampers with windows defender registry"
"task manager disabled"
"tasks in programdata directory"
"terminates process"
"transfers file using bits"
"uac disabled"
"unexpected csrss.exe parent"
"unexpected explorer.exe destination location"
"unexpected explorer.exe parent"
"unexpected explorer.exe source location"
"unexpected lsass.exe parent"
"unexpected lsm.exe parent"
"unexpected msdtc.exe parent"
"unexpected os process destination location"
"unexpected os process source location"
"unexpected runtimebroker.exe parent"
"unexpected services.exe parent"
"unexpected smss.exe parent"
"unexpected svchost arguments"
"unexpected svchost.exe parent"
"unexpected taskhostw.exe parent"
"unexpected wininit.exe parent"
"unexpected winlogon.exe parent"
"unknown segment"
"unsigned copies self"
"unsigned creates remote thread and file hidden"
"unsigned creates remote thread"
"unsigned cron job"
"unsigned deletes self"
"unsigned kext"
"unsigned library in suspicious daemon"
"unsigned module in signed process"
"unsigned reserved name"
"unsigned runs python"
"unsigned writes executable"
"unsigned writes executable to appdatalocal directory"
"unsigned writes executable to appdataroaming directory"
"unsigned writes executable to library application support directory"
"unsigned writes executable to library directory"
"unsigned writes executable to library preferences directory"
"unsigned writes executable to scripting additions directory"
"unsigned writes executable to system directory"
"unsigned writes executable to var directory"
"unsigned writes executable to windows directory"
"unsigned writes to autorun"
"uses libnss"
"uses libpcap"
"uses mach injection"
"uses mach override"
"warning on post redirect disabled"
"windows firewall disabled"
"windows task runs powershell"
"windows update disabled"
"wmic remote node activity"
"wmiprvse runs command shell"
"wmiprvse runs powershell"
"wmiprvse runs scripting engine"
"writes blacklisted file"
"writes executable to recycle bin directory"
"writes executable to root of logical drive"
"writes executable to root of program directory"
"writes executable to root of users directory"
"writes executable to system volume information directory"
"writes graylisted file"
"writes malicious file by reputation service"
"writes suspicious file by reputation service"
"yara rule matched"
"executable in ads"
"explorer public folder dll load"
"powershell double base64"
"outbound from windows directory"
"outbound from unsigned temporary directory"
"unsigned opens lsass"
"outbound from unsigned appdata directory"
"rdp launching loopback address"
"autorun invalid signature windows directory"
"command shell copy items"

NetWitness Community

Table of Contents

Product Resources

Appendix A: Endpoint Risk Scoring Rules

On this page