Indicators of compromise

Policy for detecting .REG files (Windows Registry files). The rule for this policy is:

• .REG File

Policy for detecting records of SQL table data extracted from a database. The rules for this policy are:

• Database Dumps/Backup Files: MySQL-Format Database Dump (Wide)
• Database Dumps/Backup Files: MySQL-Format Database Dump (Default)
• Database Dumps/Backup Files: Microsoft Tape Format

Policy for detection of encrypted PGP files, password-protected files of known formats, like Microsoft Word and ZIP, and unknown encrypted files. The rules for this policy are:

• Encrypted Files: B1 File
• Encrypted Files: RAR File
• Encrypted Files: RAR5 File
• Encrypted Files: ZIP File
• Encrypted Files: Microsoft Access Database File (Legacy)
• Encrypted Files: Microsoft Excel Binary File (Legacy)
• Encrypted Files: Microsoft Office Encrypted File (OOXML)
• Encrypted Files: Microsoft OneNote Encrypted File
• Encrypted Files: Microsoft PowerPoint Binary File (Legacy)
• Encrypted Files: Microsoft Word Binary File (Legacy)
• Encrypted Files: PDF File
• Encrypted Files: PGP Encrypted File
• Encrypted Files: PGP Signed and Encrypted File
• Encrypted Files: Unknown Encrypted Format

Searches for outbound password files, such as SAM database and UNIX/Linux password files. The rules for this policy are:

• Password Files: .htpasswd File (Wide)
• Password Files: .htpasswd File (Default)
• Password Files: .htpasswd File (Narrow)
• Password Files: General File
• Password Files: Password File (Wide)
• Password Files: Password File (Default)
• Password Files: SAM File (Wide)
• Password Files: SAM File (Default)
• Password Files: SAM File (Narrow)
• Password Files: Shadow File (Wide)
• Password Files: Shadow File (Default)

Policy for detecting private keys or file formats that contain them. The rule for this policy is:

• Private Keys: DSA Private Key
• Private Keys: Elliptic Curve Private Key
• Private Keys: JSON Keystore File Private Key
• Private Keys: OpenSSH Private Key
• Private Keys: PGP Private Key
• Private Keys: PKCS #1 Private Key
• Private Keys: Encrypted PKCS #8 Private Key
• Private Keys: Unencrypted PKCS #8 Private Key
• Private Keys: PKCS #12 File
• Private Keys: SSH2 Private Key
• Private Keys: Textual PPK Private Key

Identifies traffic that is thought to be malware “phoning home” or attempting to steal information. Detection is based on the analysis of traffic patterns from known infected machines. Applies only when Forcepoint Web Security is installed. Rules in this policy include:

• Suspected Malware Communication (Wide)
• Suspected Malware Communication (Default)

Policy for the detection of a suspected malicious content dissemination such as: encrypted or manipulated information, passwords files, credit card tracks, suspected applications and dubious content such as information about the network, software license keys, and database files. The rules for this policy are:

• Suspected Malicious Dissemination: Encrypted File (Known Format)
• Suspected Malicious Dissemination: Email Address and Password (Wide)
• Suspected Malicious Dissemination: Email Address and Password (Default)
• Suspected Malicious Dissemination: Generic Encryption Detection (Wide)
• Suspected Malicious Dissemination: Generic Encryption Detection (Default)
• Suspected Malicious Dissemination: IT Asset Information
• Suspected Malicious Dissemination: Malicious Concealment
• Suspected Malicious Dissemination: Password Dissemination for non-HTTP/ S Traffic (Wide)
• Suspected Malicious Dissemination: Password Dissemination for non-HTTP/ S Traffic (Default)
• Suspected Malicious Dissemination: Password Dissemination for non-HTTP/ S Traffic (Narrow)
• Suspected Malicious Dissemination: Password Dissemination for HTTP Traffic (Wide)
• Suspected Malicious Dissemination: Password Dissemination for HTTP Traffic (Default)
• Suspected Malicious Dissemination: Password Dissemination for HTTP Traffic (Narrow)
• Counter Malicious: Password File
• Suspected Malicious Dissemination: Suspected Application (Steganography and Encryption)