This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
LeeKirkpatrick
Valued Contributor LeeKirkpatrick Valued Contributor
Valued Contributor
since ‎2015-11-24
‎2022-01-14

User Statistics

  • 156 Posts
  • 14 Solutions
  • 49 Likes given
  • 201 Likes received
Making Yourself at Home
Welcome Back!
Welcome
Standing Ovation
View all badges
Announcement Banner

Scheduled maintenance for single sign-on for communities and myRSA on January 26th

View Details
  • NetWitness Community
  • About LeeKirkpatrick

User Activity

  • Posts
  • Replies

PrintNightmare (CVE-2021-1675)

by LeeKirkpatrick 2021-07-02 general.in NetWitness Community Blog
2021-07-02
I'm sure most of you have heard about the recent remote code execution (RCE) exploit dubbed as PrintNightmare. It is an attack against the printer spool service that allows an attacker, with normal user credentials, to execute with SYSTEM level privi...

Detecting C&C Malleable Profiles

by LeeKirkpatrick 2021-05-12 general.in NetWitness Community Blog • latest reply by RuiAtaide 2021-12-01
2021-05-12
Introduction When a C2 platform is hardcoded to beacon in a particular fashion, its detection from a defender’s perspective is trivial. Namely, we merely need to create a single signature based on the hardcoded characteristics, which would then be ca...

Using RSA NetWitness to Detect Ransomware Attacks

by LeeKirkpatrick 2020-11-09 general.in NetWitness Community Blog
2020-11-09
Table of ContentsIntroductionHow is Ransomware Deployed?Credential HarvestingProcDumpcomsvcs.dllCustom ApplicationsLateral MovementRDPWMISMBBackdoorsAccount CreationRansomware DeploymentConclusion IntroductionRansomware is something that’s haunted bu...

Using RSA NetWitness to Detect Void-RAT

by LeeKirkpatrick 2020-06-11 general.in NetWitness Community Blog
2020-06-11
Carrying on with the theme of Remote Access Tools (RATs), in this blog post will be covering Void-RAT. This tool is still in development and currently at alpha release so doesn't come with as many features as other RATs we've looked at, with that bei...

Using RSA NetWitness to Detect QuasarRAT

by LeeKirkpatrick 2020-05-26 general.in NetWitness Community Blog
2020-05-26
Delving back into the C2 Matrix to look for some more inspiration for blog posts, we noticed there are a number of Remote Administration Tools (RATs) listed. So we decided to start taking a look at these RATs and see how we can detect their usage in ...
View more

Re: Detecting C&C Malleable Profiles

by LeeKirkpatrick 2021-05-19 general.in NetWitness Community Blog
2021-05-19
We have had some feedback on the rules from individuals who have had this up and running in their envrionments. That feedback has been applied to the latest set of rules that is uploaded to this post. The code was also updated to create rules for the...

Re: Detecting C&C Malleable Profiles

by LeeKirkpatrick 2021-05-14 general.in NetWitness Community Blog
2021-05-14
Hey All, Since I had the code already extracting the necessary fields, I made it output the content as Yara rules. These rules may work on raw PCAP data as well as memory dumps, the executables, however, are normally encoded and would not necessarily...

Re: Using RSA NetWitness to Detect Ninja C2

by LeeKirkpatrick 2020-04-14 general.in NetWitness Community Blog
2020-04-14
Hey Matthew, Correct, the app rules detailed in this post would most likely have no benefit being on a Log Decoder, nor on an ESA that is ingesting log metadata, this is because the proxies capturing the information typically won't log everything in ...

Re: Using RSA NetWitness to Detect Ninja C2

by LeeKirkpatrick 2020-04-14 general.in NetWitness Community Blog
2020-04-14
Hey Matthew, Typically, the data sent within the POST is not logged by proxies, remember this is outbound C2 data, therefore NetWitness does not receive that information, so the app rule looking for the double asterisk may not work in this case. The ...

Re: Using RSA NetWitness to Detect C&C: ReverseTCP Shell

by LeeKirkpatrick 2019-12-19 general.in NetWitness Community Blog
2019-12-19
Hey Shane, With this tool, everything that gets uploaded or downloaded is decimal encoded. As an example, if you uploaded a malicious binary, it will look like this across the wire: Which after decimal decoding, you can reconstruct the binary (simila...
View more
Likes from
User Count
MortadaAboSteit
New Contributor MortadaAboSteit New Contributor
1
TakashiYoshimu1
TakashiYoshimu1 Seeker
1
Sarthak
Occasional Contributor Sarthak Occasional Contributor
1
GyeonghwanHong
Contributor GyeonghwanHong Contributor
1
RuiAtaide
Respected Contributor RuiAtaide Respected Contributor
18
View all
Likes given to
User Count
MarcoMeli
Occasional Contributor MarcoMeli Occasional Contributor
1
ChrisThomas
ChrisThomas Frequent Contributor
3
RSAIncidentResp
New Contributor RSAIncidentResp New Contributor
1
JoshRandall
Valued Contributor JoshRandall Valued Contributor
3
Onsecfr
Onsecfr Beginner
1
View all
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.