NetWitness Community

ChrisThomas · 2021-02-01

In Incident Response we often get called in to customer engagements after an incident has occurred (yeah, I know, that is why it is called Response). Unfortunately, not all organisations we work with have centralised log collection … or if they do, t...

ChrisThomas · 2020-05-22

To round out our series explaining how to use the indicators from ASD & NSA's report for detecting web shells (Detect and prevent web shell malware | Cyber.gov.au ) with NetWitness, let's take a look at the endpoint focused indicators. If you missed ...

ChrisThomas · 2020-05-06

Following on from my last post that focused on analysing web server logs https://community.rsa.com/community/products/netwitness/blog/2020/04/30/detecting-webshells-with-web-server-logs , this time we are going to look at the network based indicators...

ChrisThomas · 2020-04-30

IntroductionThe Australian Signals Directorate (ASD) & US National Security Agency (NSA) have jointly released a useful guide for detecting and preventing web shell malware. If you haven't seen it yet, you can find it here:Detect and prevent web shel...

ChrisThomas · 2019-12-20

IntroductionHaving recently moved into the IR team – where I now have to actually do stuff as opposed to just talking about stuff in technical sales – I have found that the best way to get up to speed with detecting attacker behaviours is to run the ...

ChrisThomas · 2020-05-04

Hi JonWe'll get in to some methods for detecting web shells using data from NetWitness Network soon!In the meantime, the default setting for the http_lua network parser is to register the components of the URI (hostname, directory, filename, extrensi...

ChrisThomas · 2019-08-22

The joy of Logs!So maybe we need info from another source. If you have DNS logs with the request and response (or even better NW Network capture of DNS queries) from the Proxy we could tie the ip.dst (in NW Network, the response to the DNS query woul...

ChrisThomas · 2019-08-22

Using a feed to tag sessions with extra meta for context is a great idea overall, but I don't think it answers your initial question of how to link the event from the firewall with the corresponding event from the proxy server. Using the feed mechani...

ChrisThomas · 2019-03-20

There is documentation at the end of the Security Configuration guide available here (in Appendix A): Security Configuration Guide for Version 11.2 From the field – it does work: We have created a self-signed certificate and a key using the below, op...

ChrisThomas · 2018-08-19

Take a look at Joshua Randall's post from a couple of weeks ago: https://community.rsa.com/community/products/netwitness/blog/2018/08/07/improving-alerts-related-links-in-respond

NetWitness Community

User Statistics

User Activity

Analysing EVTX files in NetWitness through Winlogbeats

ASD & NSA's Guide to Detect and Prevent Web Shell Malware – Endpoint Visibility

ASD & NSA's Guide to Detect and Prevent Web Shell Malware – Network Visibility

ASD & NSA's Guide to Detect and Prevent Web Shell Malware - Web Server Logs

Using RSA NetWitness to Detect C&C: Covenant

Re: ASD & NSA's Guide to Detect and Prevent Web Shell Malware - Web Server Logs

Re: Investigating an alert, need help with additional meta

Re: Investigating an alert, need help with additional meta

Re: v11 - Replace Self-Signed Certificate

Re: Respond Server Querry