Hunting Pack

The Hunting Pack is a set of content that derives indicators of compromise and anomalous events. Deploying this bundle will download all of the content and content dependencies of the Hunting Pack including the associated feed, Lua parsers and reports.

For more details about the suggested investigation techniques refer the RSA NetWitness Hunting Guide

  • ESA Rule: Webshell Detected
  • Application Rule: exe filetype but not exe extension
  • Feeds: Investigation Feed and RSA FirstWatch SSL Blacklist

  • Lua parsers:

    • CustomTCP
    • JSON-RPC
    • MSU_rat
    • apt_artifacts
    • china_chopper
    • dns_verbose
    • dyndns
    • fingerprint_java
    • fingerprint_rtf
    • http
    • icmp
    • idn_homograph
    • mail
    • plugx
    • poison_ivy
    • pvid
    • rdp
    • rekaf
    • session_analysis
    • smb
    • struts_exploit
    • supercmd
    • tld
    • tls
    • traffic_flow
    • windows_command_shell
    • windows_executable
    • xor_executable

  • Reports:

    • Hunting Detail
    • Hunting Summary
    • Malware Activity Report