On April 2022, Rapid7’s Managed Detection and Response (MDR) team began monitoring 2025 endpoints belonging to EXAMPLE ORG. Rapid7 collected data from 2025 Windows endpoints via the Insight Agent to conduct the EXAMPLE ORG Security Posture Assessment.
The Rapid7 MDR service relies on multiple methods of detection within client environments. In addition to real-time alerting, MDR performs frequent collection of forensically-relevant data using the Insight Agent to identify historical indicators of compromise and malware that cannot be captured in real-time.
Rapid7 MDR’s goal of the Security Posture Assessment is to identify and report on malware or remnants of attacker activity, in addition to potential security risks, on the endpoints on which the Insight Agent is installed.
Rapid7 MDR did not identify evidence of an active or historic compromise. Rapid7 MDR identified instances of weak security practices such as passwords stored in clear text documents and potentially unwanted programs installed on hosts.
MDR hunts parse and acquire data from multiple locations on a system to determine what historically executed, what executables run automatically, and artifacts matching common attack methodologies.
Prefetch
Rapid7 reviewed 252,787 Windows Prefetch entries to identify historical execution of suspicious executables, DLLs, and output files.
Windows Services
Rapid7 reviewed 1,052,627 entries to identify malicious Windows services. Windows services are often used by attackers to ensure that malware starts on a system if the system reboots.
Scheduled Tasks
Rapid7 reviewed 423,193 entries to identify malicious scheduled tasks. Windows scheduled tasks are often used by attackers to execute code remotely and to maintain malware persistence.
Registry-Based Persistence
Rapid7 reviewed 366,948 entries to identify persistent malware within the Windows Registry. The Windows Registry contains dozens of configuration options for ensuring that code executes under various circumstances including system boot, user logon, or application launches.
Running Processes
Rapid7 reviewed 336,225 entries for indications of malicious processes, including libraries loaded by processes, network connections from processes, and suspicious command-line arguments. Rapid7 periodically reviews snapshots of processes across networks to identify outliers not only in process executables but the resources loaded by processes.
During the assessment timeline, Rapid7 used the following techniques to identify current and past indicators of compromise:
Rapid7 identified the following items for review by EXAMPLE ORG:
Please provide Rapid7 with a list of items for allow-listing after review.
Rapid7 reviewed the EXAMPLE ORG environment for MDR-curated indicators of compromise developed from previous incident response engagements, malware identified within the MDR customer base, and Open Source Intelligence (OSINT).
Rapid7 did not identify any indicators of compromise in the EXAMPLE ORG environment matching the MDR Threat Intelligence indicator set.
Remote access solutions can be used by threat actors to gain remote access to a system. Rapid7 reviews remote access solution installations across all systems to identify anomalous installs and non-compliant systems.
Rapid7 identified remote access software (Remote Desktop, LogMeIn/GoToMyPC/Hamachi, PSExec, SplashTop, TeamViewer, AnyDesk, VNC, Bomgar, Chrome Remote Desktop) installed on several systems in the EXAMPLE ORG environment. Rapid7 recommends reviewing the software’s presence on each system to determine whether it has a business need and if the system owner is authorized to use the application.
Rapid7 reviews cloud storage solutions to identify anomalous usage and non-compliant systems. Users may upload sensitive or proprietary data to non-approved cloud storage solutions, Rapid7 recommends ensuring that users follow corporate cloud storage usage policies by uninstalling unwanted software or blocking cloud storage network traffic.
Rapid7 identified cloud storage solutions (Dropbox, Microsoft OneDrive, iCloud, Box.com, Amazon Drive) installed on several systems in the EXAMPLE ORG environment. Rapid7 recommends reviewing the software to determine whether it has a business need. Otherwise, it is advised that the software should be removed.
Rapid7 reviews the environment for potentially unwanted programs (PUPs). PUPs are often non-malicious in nature, but may be admin tools, browser toolbars and other types of software that may serve no business need.
Rapid7 detected a number of potentially unwanted programs in the EXAMPLE ORG environment. These programs should be reviewed to determine whether they serve a business need. Otherwise, it is advised that they be removed.
Rapid7 identified potential risky password storage practices, the storage of plaintext credentials in users’ space. Attackers will often enumerate systems for files containing credentials for use in lateral movement and privilege escalation. Rapid7 recommends reviewing these documents and security awareness training for compliance with password storage best practices. Rapid7 recommends using an encrypted credential storage solution such as KeePass, 1Password, LastPass, etc. to store credentials rather than a text file or document.
Rapid7 identified the following password document(s) in the EXAMPLE ORG environment.
Rapid7 identified multiple registered domains potentially designed to be imposters of the EXAMPLE ORG registered domains. Rapid7 recommends reviewing and blocking the identified domains, if they serve no business need.
Imposter Domain for EXAMPLE ORG.com
Rapid7 reviewed historical logs for ingress authentication from international locations. Attackers routinely hide their activity by utilizing a victim VPN with compromised credentials to establish a foothold or maintain persistence in a network.
Rapid7 identified the following successful ingress authentications from international locations into the EXAMPLE ORG environment.
Rapid7 reviewed historical authentication logs for remote desktop (RDP) found in the EXAMPLE ORG environment. Rapid7 recommends blocking inbound remote desktop (RDP) access requests to prevent account brute-forcing or exploitation. Rapid7 recommends only allowing users to remotely access Domain Controllers via a VPN using two-factor authentication. Rapid7 recommends blocking internet access to all Domain Controllers in the environment.
Rapid7 did not identify successful remote desktop sessions from public Internet in the EXAMPLE ORG environment.
Rapid7 reviewed historical egress traffic utilizing the Server Message Block (SMB) protocol. SMB traffic should be blocked at egress firewalls to prevent Windows from sending NTLM hashes to unknown parties. NTLM hashes captured through SMB traffic can be cracked by an adversary and used to access company assets. Rapid7 recommends reviewing the traffic and blocking outbound SMB at all egress points if it serves no business need.
Rapid7 identified SMB traffic egressing from the EXAMPLE ORG environment.
Based on the results of the Security Posture Assessment, Rapid7 recommends the following actions be undertaken to remediate weak security practices.
Priority | LOE | Recommendation |
---|---|---|
Moderate | Moderate | Standardize Remote Access Utilities Define a standard set of utilities to perform remote System Administration and remote access. By standardizing and documenting Administrative tools, Rapid7 can better identify anomalous or malicious Administrative tool use within the network. |
Moderate | Low | Remove PUPs from the environment Rapid7 identified a number of Potentially Unwanted Programs (PUPs) across the environment. Although these programs do not pose a security threat, they could introduce exploitable vulnerabilities or unwanted activity. These programs should be removed if no business case exists. |
High | Low | Use a Credential Management Solution for Password Storage Use an encrypted credential storage solution, such as 1Password, KeePass, and LastPass to store credentials instead of a text file or document. Unencrypted credentials could be misused or captured by a malicious actor. |
Moderate | Moderate | Block Outbound SMB Traffic on the Firewall to unauthorized hosts Configure the network-level firewall to block outgoing attempts to access SMB resources on the public Internet. |
Rapid7 recommends that these mitigations be implemented in order to reduce the chances of a successful attack. These will also decrease the exposed attack surface.
Priority | LOE | Recommendation |
---|---|---|
High | Moderate | Update Frequently Targeted Applications Update frequently targeted applications, such as the Microsoft Office suite, Adobe Flash, Adobe Acrobat, and Internet browsers to reduce the likelihood of compromise from exploit kits, phishing, and targeted attacks. |
High | Low | Use an Application Sandbox to Run Frequently Targeted Applications Rapid7 recommends using an application sandbox, such as the free Microsoft Enhanced Mitigation Experience Toolkit (EMET) to ensure that commonly targeted applications such as browsers and office suites will terminate if exploited. Application sandboxing mitigates the likelihood that successful exploitation of an internet browser would allow malware to interact with the underlying operating system and application processes. |
High | Low | User awareness training Implement phishing-based training for users identified as opening unknown attachments or clicking unknown links. Train users on how to forward suspicious links or emails to information security for analysis. Rapid7 recommends providing user awareness training at regular intervals to all users in the environment. |
Moderate | Moderate | Review Firewall and Proxy Policies Review inbound and outbound URL and firewall access policies and block high-risk categories, such as adult material, games, gambling, advertisements, Peer-to-Peer file sharing, and dynamic DNS. Block all security categories, which include spyware, phishing, keylogging, and malicious mobile code. |
High | Moderate | Block Executable Files at Web Proxy Block executable files (e.g. exe) on web proxy and only allow exectuable to be downloaded from whitelisted sites serving business purpose. |
High | Moderate | Block or Warn on Uncategorized Sites at the Web Proxy Block or warn on uncategorized sites on the web proxy. Aside from blocking uncategorized site, certain web proxy will display a warning page, but allows the user to continue by clicking a link in the warning page. Either way, this will stop drive-by exploit and malware from being able to download further payload from the Internet, as most malware will not be able to interact with the web proxy warning page. |
Rapid7 recommends that the following best practices are implemented in order to reduce the chances of a successful attack. These best practices will also decrease the exposed attack surface. In addition to general best practices for an environment’s security posture, Rapid7 created the recommendations based on those made in previous incident response engagements. Please work with your Customer Advisor if there are any questions about implementing the recommendations.
Priority | LOE | Recommendation |
---|---|---|
High | High | Implement Unique Passphrases for all Local Administrator Accounts Implement a solution such as Microsoft Local Administrator Password Solution (LAPS) to ensure local Administrator passphrases are unique per system and rotate on a regular basis. Unique passphrases per system should prevent a threat actor from moving laterally to other assets if the accounts have different local Administrator accounts. LAPS also contains the ability to randomize passphrases and helps attribute a single account to a single individual with complex passwords that expire regularly. The principle of least privilege should be applied to local Administrator accounts and no standard user account should possess local Administrator credentials. |
High | Moderate | Perform Vulnerability Scans on New Assets and Applications Prior to Deployment Perform vulnerability scans on all newly deployed assets and applications, and newly built or updated images and templates to prevent vulnerable assets or applications from being deployed to production. |
High | Moderate | Limit the Number of Domain Administrator Accounts and Restrict Account Activity to Domain Controllers Only Limit the amount of user and service accounts with domain administrator privileges. Domain administrator accounts should be restricted to only interact with domain controllers. Help desk employees and engineers should not use domain administrator accounts to authenticate to workstations to perform day-to-day responsibilities. Authenticating to workstations can leave password hashes cached on the system to be extracted by threat actors. |
High | Low | Enforce Password Rotation and Increase Security for Service Accounts Implement a policy that passphrases for service accounts must be rotated every 30 days. All service accounts should be added to the Managed Service Accounts Group. Service account passwords can be rotated every 30 days automatically and without impacting services using Microsoft's Managed Service Accounts feature. No service account should have a password that does not expire. Lastly, implement the principle of least privilege for service accounts. |
Low | Moderate | Ensure Service Accounts do not have Interactive and Local Login Rights Interactive logons should be disabled for all service accounts in the environment through GPO, and the principle of least privilege is implemented for all service accounts. Interactive logons with these accounts to workstations can leave password hashes on workstations and be extracted by threat actors. Service accounts are frequently targeted by malicious actors due to their permission levels and network access. Service accounts should only be used to start applications or services, so they should not be able to log into a system interactively. |
High | Low | Implement a Credential Management and Auditing Solution Use an encrypted credential storage solution, such as LastPass, CyberArk, 1Password, or KeePass to store credentials instead of a text file or document. Unencrypted credentials could be misused or captured by a malicious actor. Critical accounts should be stored within the solution with multi-factor authentication enabled in the solution. Solutions like CyberArk can provide granular auditing capabilities. |
Moderate | Low | Implement a “memorized secret” password policy Set a passphrase policy that requires lower case, upper case, numbers and special characters. For standard user accounts, the length of the passphrase should be 12 characters minimum. Domain administrator accounts should be 16 characters minimum. Service accounts should be 25 characters minimum. Strong passphrase policies limit the effectiveness of brute force and password spraying attacks. implementing a memorized secret password policy and that passphrases for standard user accounts occur every year. Rotating passwords too frequently can result in the strength of the passphrase becoming weaker and does not make for a good user experience. |
Moderate | High | Implement MFA for all Accounts with Access to the Network, Cloud Services, Applications, and Critical Systems Implement multi-factor authentication on all accounts on all ingress points into the environment. For externally facing systems, MFA will mitigate the risk of brute force, password spraying, phishing, and accessing the environment unauthenticated via VPN. Critical systems such as domain controllers, backup, and production systems should contain MFA to prevent threat actors with compromised credentials from moving laterally to access critical systems. Applications such as GSuite, Office365, password managers, and all business applications should contain multi-factor authentication as well. |
High | Moderate | Update Frequently Targeted Native and Third Party Applications Ensure use of a vulnerability and/or patch management solution to update frequently targeted applications and reduce the likelihood of compromise from exploit kits, phishing, and targeted attacks. Deploy a tool to manage the health of third-party application catalogs, ensuring patches can be uniformly applied. If outdated and unsupported versions of third party applications are required they should be run in isolated sandboxes for further protection in the event of exploitation. Third party software is exploited at three times the rate of native software packages on average. Applications such as Adobe Flash and Java are among the most actively exploited. Multiple vulnerability scanning engines can lead to inconsistent detection and remediation of vulnerabilities. Use a uniform scanning policy for both scan engines or scan all environments with both scan engines. |
Moderate | Moderate | Define, Document, and Implement a Vulnerability Management Program Have a documented and comprehensive vulnerability management program. The vulnerability management program should include an asset and application inventory, categorization based on criticality, risk considerations, and tie into an existing patch management program for all internal and external assets and applications regardless of the data that is stored or transferred. The vulnerability management program should be a single solution. Credentialed vulnerability scans should be included as part of the vulnerability management program. Patch management should be applied in the same manner across all critical infrastructure. All vulnerabilities not deemed critical should have the same patch life cycle. Patches for vulnerabilities should contain remediation SLAs that vary depending on the criticality of the severity. The remediation SLA times should be agreed upon with the IT Team. |
High | Low | Use an Application Sandbox to Run Frequently Targeted Applications Use an application sandbox, such as the Windows Defender Exploit Guard for Windows 10 and is a part of Windows Defender, to ensure that frequently targeted applications, such as browsers and office suites will terminate if exploited. Application sandboxing mitigates the likelihood that successful exploitation of an application would allow malware to interact with the underlying Operating System and application processes. To enable Windows Defender Exploit Guard read the link in the next column. |
High | Low | Implement application allowlisting for critical systems Implement application allowlisting for critical systems, such as Domain Controllers and servers. Application whitelisting reduces the likelihood of a malicious actor executing malware or unapproved utilities, and is less labor-intensive to implement on systems with static configurations. |
High | High | Implement an anti-phishing solution Implement an anti-phishing solution which can be used to prevent phishing emails from landing in a user's inbox and compromising a user's credentials or asset. |
High | Low | Implement User Awareness Training Implement phishing-based training for users identified as opening unknown attachments or clicking unknown links. Train users on how to forward suspicious links or emails to information security for analysis. Provide user awareness training at regular intervals to all users, including contractors. |
Moderate | Low | Educate Users on Not Reusing Work Passwords on External Websites Ensure users know that reusing work passwords on external websites, or for any other purpose, exposes them to the risk of being leaked. While technical limitations could be implemented to set requirements for password complexity, they cannot prevent a user from reusing their work password on an external website. |
Moderate | Moderate | Implement a Load Balancer to handle Web Traffic Rapid7 recommends implementing a load balancer to prevent web servers from becoming overwhelmed with network traffic. Load balancers are commonly used to prevent Denial-of-Service and Distributed Denial-of-Service attacks. |
Moderate | Moderate | Implement a Web Application Firewall Rapid7 recommends implementing a web application firewall for web servers to minimize or elimiate risk surrounding the traffic between web servers and clients. |
Moderate | Low | Prevent Activation of OLE Packages in Word Documents Prevent the activation of OLE packages in Microsoft Word to prevent users from launching malicious packages. Create a registry key at 'HKCU\Software\Microsoft\Office\\\u003COffice Version\u003E\Word\Security\' with the name 'PackagerPrompt', then type 'REG_DWORD' and the value '2'. For more information, please click here and here. |
Moderate | Low | Prevent Execution of Office Macros via Group Policy Disable macro execution in the Microsoft Office suite from untrusted locations. Office macros account for approximately 98% of Office malware. Disabling macros decreases the attack surface of user workstations. For more information on disabling macros using AD GPOs, click here |
High | Low | Limit Credential Caching on Servers and Workstations Limit user credential caching on network-connected workstations and servers. By default, Windows caches the last ten credentials for previous logins on workstations, which a malicious actor could extract with credential-dumping utilities, such as Mimikatz. Disabling caching prevents passwords from being stored in memory and lowers the risk of credential theft. For more information on disabling credential caching click here(https://www.itprotoday.com/security/domain-credential-caching). |
High | Low | Block Outgoing Connections via Regsvr32.exe Ensure outgoing connections for the Microsoft Register Server, regsvr32, are blocked. regsvr32.exe is a command-line utility in Microsoft Windows Operating Systems for registering and unregistering DLLs and ActiveX controls in the Windows Registry. A malicious actor could use regsvr32.exe to bypass security controls, such as application allowlisting, by passing it through the URL for a payload hosted by a malicious actor on invocation during a Squiblydoo attack. For more information click here. |
High | High | Create, Enforce, and Monitor a Policy that Defines System Hardening Procedures for Standard Build Configurations Ensure creation and enforcement of a policy for system hardening. Using known and trusted sources, such as DISA’s Security Technical Implementation Guides (STIGs), hardening procedures should be documented and baked into templates or gold images. Center for Internet Security (CIS) benchmarks can also be referenced as guidelines for hardening servers prior to deployment. The policy should also include documentation for updating and modifying standard build configurations. Updating that is performed ad-hoc or as a one-off can introduce weaknesses and inconsistencies in the environment.System configuration changes should be monitored for changes made outside of the documented change management process. Expected behavior can be baselined after a tuning period to reduce events and create high fidelity alerts on critical systems. |
Moderate | Low | Enable Windows Defender Credential Guard Implement Windows Defender Credential Guard to securely handle account passwords when remoting to other systems in an environment and prevent credentials in memory from being extracted. If Windows Defender Credential Guard is not implemented, privileged account credentials can be stored on destination systems and later acquired by threat actors that compromised a system, or acquired directly from memory. Additionally, always gracefully logoff of remoting sessions and do not exit out of them. Gracefully logging off of a remote session allows credentials to properly be removed from cache memory. Instructions to implement Windows Defender Credential Guard can be found in the link in the next column. This should be part of the standard baseline configuration for assets. Instructions to implement Windows Defender Credential Guard can be found here |
Moderate | Low | Forward All Possible Event Sources to a SIEM Platform Forward all log sources to InsightIDR which provide value for security events and investigations. Additionally, threat actors delete data as a form of anti-forensics. Forwarding data to a SIEM allows for copies of data to be in a single pane of glass to quickly respond to incidents. For reference on how to forward a variety of data sources to InsightIDR, click here. |
High | Moderate | Enable and Standardize PowerShell v5 Logging and Disable PowerShell v2 on all Systems Enable and configure PowerShell Transcription, Script Block, and Module logging functionality for PowerShell version 5. Logging can be enabled through Group Policy settings. With a majority of attackers utilizing some type of PowerShell in their efforts to compromise a system the extended visibility of PowerShell Script Block logging can provide earlier detections. PowerShell v2 should be uninstalled from any systems after upgrading to prevent downgrade and bypass attacks. The use of PowerShell v2 also may not log certain activity carried out by threat actors. |
High | High | Create, Document, and Implement a DLP Policy and Solution Create a documented data encryption policies and standards, communicating them to relevant parties, and testing them to verify that all systems adhere to the policies. The data loss prevention tool that is selected and implemented will help monitor for sensitive data at rest, in-transit, and leaving the network. Sensitive data found stored in unsecured storage locations should be classified and moved. When enforced in tandem with a data classification policy, the accesses and movement of sensitive data can be used to determine activity baselines and identify anomalous behavior. Some solutions, such as Office365, already have DLP capabilities which should be configured and enabled. |
High | Moderate | Create and Document Backup Policies and Test on a Quarterly Basis Create and document a backup policy. Test backups quarterly or whenever a major hardware or software change is made to core infrastructure. Backup testing should closely mirror an actual restoration in order to ensure integrity of the processes and technologies involved. For user workstations and local servers, force redirection or replication of local workstation files to a backup solution. Backup capabilities should be able to be restored at a per-file level. |
High | Moderate | Use Encrypted Credentials with PowerShell Use encrypted credentials when using PowerShell scripts inside the network. This will protect scripts and credentials from being compromised, read, or abused. For more information on how to use this feature see the articles here and here |
Moderate | High | Document and Segment the Network Based on Data Sensitivity and Type Identify critical systems and systems containing sensitive data and separate them over different VLANs with firewall filtering to limit a malicious actor's lateral movement and ability to compromise neighboring systems. A 'flat' network in which segmentation is not implemented could allow a malicious actor who breaches the network to pivot into any workstation on the network. Network segmentation can help mitigate the scope and severity of a breach by separating sensitive systems and data. Additionally, developing a procedure for creating and maintaining a list of critical data locations within the corporate and production environments. Systems that store and handle critical data should be easily referenced within this document. These lists should feed into the disaster recovery and business continuity plans. |
Moderate | Moderate | Restrict Server Internet Access Ensure critical servers do not have Internet access to reduce a malicious actor's ability to download additional malware, upload captured data to their infrastructure, and use the server as a post-exploitation ingress method. Critical servers with Internet access increase the risk of compromise through web browsing and could allow direct Command and Control activity if a malicious actor installs a backdoor. An allowlisting model with network connections on production servers should be implemented to only allow connections to documented IP addresses and domains. |
Moderate | Moderate | Disable Split-Tunnel VPN Configurations Ensure that all VPN users have their entire network traffic tunneled through the VPN to reduce the risk of a malicious actor connecting to the endpoint. Split-tunnel VPNs allow connections from a remotely connected endpoint to traverse a potentially untrusted network. |
Moderate | Moderate | Block Inbound RDP Access on the Firewall Ensure the network-level firewall is configured to block incoming attempts to access RDP from the public Internet. Configure Windows firewall to block connection attempts to RDP when the asset is not on the corporate network. Additionally, do not use RDP over a nonstandard RDP port. Malicious threat actors can still find the port that is running RDP even if it’s not port 3389 and use that as an ingress point into the environment. |
High | Moderate | Block Executable Files at Web Proxy Block executable files on web proxy and only allow users to download executables from allowlisted sites serving business purposes. |
High | Moderate | Log all Web Proxy, Firewall, and DNS Traffic for User Workstations and Servers Capture complete web proxy, firewall, and DNS traffic from all user workstations and servers. Networking logging and visibility can be used to aid in the incident response process, providing answers to malware sources, compromises assets, lateral movement, and potential command and control activity. All logs should be forwarded to InsightIDR if possible. If not, retain the data for a minimum of 30 days. |
Moderate | Moderate | Regularly Review Firewall, Proxy, and other Network Configurations or Policies Perform regular firewall content reviews, and increasing the breadth of firewall rules between network segments. Strong network segmentation is a key element in preventing malicious actors’ lateral movement throughout the network during an attack, and helps protect critical infrastructure. Changes to critical infrastructure should be compared against existing change management tickets to ensure modifications occurred legitimately. A complete review of all firewall rules should occur on an annual basis, with new changes following existing change management protocols. Additionally, review inbound and outbound URL and firewall access policies and block high-risk categories, such as adult material, games, gambling, advertisements, Peer-to-Peer file sharing, and dynamic DNS. Block all security categories, which include spyware, phishing, keylogging, drive-by downloads, and malicious mobile code. |
High | Moderate | Disable Ingress Access to Remote Administration Solutions from Non-VPN IP Addresses Disable ingress access to the remote Administration solutions in the environment from non-VPN IP addresses. This reduces the likelihood of a malicious actor exploiting the solution to gain control of remote systems and install malware or steal personal information. Keep the solutions disabled unless they are actively needed. |
High | High | Document, Implement, Communicate, Practice, and Regularly Update an Incident Response Plan Document proper incident response guidelines for all phases of the incident response lifecycle: identification, incident classification, notification/escalation, analysis, containment, remediation, recovery, and lessons learned. Testing of the plan should come in the form of bi-annual tabletop exercises (TTX) or purple team exercises with one being conducted by a third party. The incident response plan should contain all necessary parties to allow individuals and teams to derive their role and responsibility during the exercise. The plan should be updated after the TTX or purple team to address any identified gaps. The incident response plan should also reverse the business continuity plan and disaster recovery plan in the event of major cyber incidents. |