Home  >  APT3  >  Results  >  RSA  >  Configuration

RSA Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE comments are included in italics.

Product Versions

NetWitness Endpoint v4.4.0.6


RSA NetWitness Endpoint is an endpoint detection and response solution that leverages continuous endpoint behavioral monitoring and advanced machine learning to dive deeper into endpoints and more accurately and rapidly identify targeted, unknown and non-malware attacks that other endpoint security solutions miss entirely. RSA NetWitness Endpoint delivers full visibility into all processes, executables, events and behavior on all endpoints (servers, desktops, laptops and virtual machines) with no discernible impact on end-user productivity, using an extremely lightweight endpoint agent. The solution scales easily from hundreds to hundreds of thousands of endpoints. All data storage and most analysis occur on the RSA NetWitness Endpoint database, which ensures data integrity and drastically reduces endpoint impact. RSA NetWitness Endpoint collects and automatically analyzes processes, executables and more on endpoints; records data about every critical action surrounding the unknown item; and communicates with the RSA NetWitness Endpoint server for advanced analysis and threat prioritization.


Disabled Blocking and Quarantining

Added content related to activity with PowerShell and other binaries sometimes used during APT attacks. Specifically, the following Instant Indicators of Compromise:

  • Renamed_CMD.EXE
  • Renamed_WMIC.EXE
  • RenamedOSprocess
  • RenamedShell
  • CMD_Creates_VBS
  • CMDcreatesExecutableRareEvent
  • New-CMDstartsPowershell
  • LoopbackwithPortOnCLA
  • OfficeStartsMonitoredEXE
  • Outbound_ExplorerWithFloatingCode
  • Outbound_SVCHOSTWithFloatingCode
  • Outbound_Windows_Folder
  • OutboundFrom_Windows_Temp
  • New-PossibleOfficeExploit
  • PossibleReconActivity
  • RareEvent_CMD_Creates_WSCRIPT
  • Uncommon_MSHTA.exe_Behavior-source
  • Uncommon_MSHTA.exe_Behavior-target
  • UncommonEvent_Browser_CreatesCMD
  • SuspiciousPowershell_FloatingCode
  • CommandsOfInterest
  • LateralWithCreds
  • WMIC_RemoteNode_Activity
  • PossibleWebshell_Activity
  • SuspiciousActivity_lsass_ntds_in_tla
  • PotentialOutlookExploit
  • STDOUT_STDERR_Redirect
  • Outbound_From_Unsigned_On_AppData
  • UncommondPowershellProcess
  • RareEvent_CMD_Creates_ScriptFile
  • Public_Folder_DLL_Load
  • RareEvent_cmd.exe_starts_wscript
  • RareEvent_OSprocess_runs_PS_or_CMD
  • PossibleWebshell_Activity_Server
  • Powershell_DoubleBase64
  • Powershell_loadsDLL_via_rundll32
  • cmd_with_escape_character
  • Suspicious_Powershell_creates_rundll32
  • Uncommon_Outlook_CreateProcess
  • UncommonRundll32createsExecutable
  • Unsigned_Opens_LSASS Event
  • Process_Parent_is_WmiPrvSe