MDR Monthly Service Report: Company Name
Cybersecurity Advisor Name — May 1-31, 2025
Rapid7’s Managed Detection and Response (MDR) service generated 168 alerts to identify malicious activity in Company Name’s environment in May. MDR did not identify malicious activity which required incident response during this period.
47,985,233,380
168
0
The following table identifies the data sources from which InsightIDR collected logs last month, the log set in InsightIDR log search where the logs are stored, and the number of log files collected per data source. The MDR team uses this data when investigating an incident.
You can also view your logs in InsightIDR by clicking Log Search from the left menu.
The MDR Security Operations Center performed in-depth validation of 149 alerts by priority. The MDR team applied user behavior analytics to retrace the user and activity behind each alert. As part of this analysis, the MDR team reviewed domains and URLs accessed by users, processes executed by users, historical logon activity, and system roles associated with the alerts.
For more information about alert priorities and closed alert dispositions, go to the Key Terms and Definitions tab.
Alerts by Priority.
This table lists the alerts that were closed during the month of May. The table is generated by matching signatures to logs and events from the Company Name environment.
Alerts by Disposition.
MDR did not respond to any security incidents during the month of May.
| Artifact Type | Operating System | Count |
|---|---|---|
| Running Processes | Windows | 2,706,143 |
| Prefetch | Windows | 909,480 |
| Registry-Based Persistence | Windows | 12,863,880 |
| Scheduled Tasks | Windows | 2,996,982 |
| Services | Windows | 13,004,396 |
| Crontab | Linux | 28,788 |
| Running Processes | Linux | 655,007 |
| Sudoers | Linux | 1,992,146 |
| Suid Binaries | Linux | 120,993 |
| Kernel Modules | Linux | 120,008 |
| Authorized Keys | Linux | 302,008 |
| Running Processes | Mac | 10,665 |
| Sudoers | Mac | 677 |
| Suid Binaries | Mac | 605 |
| Authorized Keys | Mac | 0 |
| Crontab | Mac | 1 |
| Services | Mac | 0 |
| Kernel Extensions | Mac | 8,890 |
During the month of May, MDR’s threat hunters performed 10 hunts in Company Name’s environment. Details of these threat hunts can be found in the table below. If evidence of compromise was identified as a result of these threat hunt(s), our incident response process would have been initiated (see the ‘Incidents’ section of this report).
| Hunt Name | Hunt Description | Hunt Timeframe |
|---|---|---|
| Vultr Infrastructure Leveraged by Russian and Chinese APT Groups | Rapid7 undertook a hunting project with the goal of using network telemetry to identify malicious use of the Vultr VPN Infrastructure associated with Russian and Chinese APT Groups. These IP addresses have been leveraged by the threat actors to access environments, collect victim data and exfiltrate it from the network. These methods have been observed in campaigns as recent as April 2025. | 2025-03-15 - 2025-05-01 |
| DarkCrystal RAT and Netherlands C2 Infrastructure Hunt | This hunt focused on searching for different IOC’s provided by a threat intel sharing partner revolving around a specific tool and C2 infrastructure distributing a remote access trojan (RAT) code named DarkCrystal. | 2025-01-01 - 2025-03-02 |
| Fortinet IOC’s for CVE2025-32756 | This hunt focused on firewall activity from IP Addresses identified by Fortinet in their advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-254 | 2025-04-21 - 2025-05-15 |
| Hunt for Known Silk Typhoon Infrastructure | Rapid7 undertook a hunting project with the goal of using network telemetry to identify malicious IP addresses associated with Silk Typhoon obtained from recent incident response investigations. These IP addresses have been leveraged by the threat actors to access environments, collect victim data and exfiltrate it from the network. These methods have been observed in campaigns as recent as May 2025. | 2025-03-01 - 2025-05-06 |
| Legion: Credential Harvester and SMTP Hijacker | This threat hunt was aimed at using network and endpoint telemetry to identify instances of an emerging Python-based credential harvester and hacktool known as ‘Legion.py’. The focus was detecting this Python hacktool and hardcoded IAM user ‘ses_legion’. This IAM user is created by the hacktool and has been observed in incident response investigations as recently as May 2025. | 2025-03-01 - 2025-05-01 |
| PRC-Associated ShadowPad Malware Infrastructure | Rapid7’s threat hunting team conducted a threat hunt for the ShadowPad malware used by Chinese state-sponsored Advanced Persistent Threat (APT) associated groups. Rapid7 hunted for connections to the malware’s command and control (C2) infrastructure over the month of February 2025. | 2025-01-31 - 2025-03-01 |
| RAT Leveraged by Likely Chinese Espionage Group | This hunt focused on identifying indication of compromise related to a new malware deployed by Advanced Persistent Threat (APT) Actors as part of a supply chain attack. | 2024-10-31 - 2025-01-01 |
| Hunt for Known Scattered Spider IOCs | Scattered Spider is a financially-motivated ransome-as-a-service (RaaS) that has been active since 2022. The group is known to impersonate reputable brands in their social engineering attacks and phishing campaigns in order to obtains access to targets environments. | 2025-03-31 - 2025-05-01 |
| Ivanti ETR hunt covering CVE-2025-22457 | On Thursday, April 3, 2025, Ivanti disclosed a critical severity vulnerability affecting Ivanti Connect Secure, Pulse Connect Secure, Policy Secure, and ZTA Gateways. CVE-2025-22457 is a stack-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute code on the target device. In response to this, the threat hunting team searched across available logsets to find customers running Ivanti devices to provide notification of the vulnerability and urging customer to update and verify their Ivanti appliances. | 2025-03-25 - 2025-04-05 |
| PDFast Potential Infostealer Hunt | Beginning in March 2025, the SOC began observing an influx of a piece of freeware dubbed PDFast, which appears to be served through malvertising. Rapid7’s analysis of the associated binaries indicate that they have infostealer-like capabilities. On 2025-04-16, associated binaries were updated, triggering multiple instances due to the related malicious activity. Using IOC’s related to network activity, the Threat Hunt team reviewed firewall and DNS logs to look for activity that indicated PDFast had executed, but had not generated an associated alert. | 2025-02-28 - 2025-04-17 |
In May, Rapid7s MDR’s Threat Intelligence and Detection Engineering (TIDE) team created 65 new detection rules. The TIDE team also implemented 2 suppressions, tuning the rules listed under “Rules with new Suppressions.” Each month, TIDE actively researches new detections to increase coverage, and implements suppressions to raise the fidelity of existing detections which helps cover the Company Name environment.
Newly Created Rules
| Name | Description |
|---|---|
| Attacker Technique - Encoded Powershell Spawns Extraction Of 7zip Archive With Password | An encoded PowerShell command has been identified spawning the 7zip utility to extract the contents of an encrypted archive, utilizing a password. This behavior is indicative of a tactic used by malicious actors to deploy encrypted executables to an endpoint before their execution. |
| AWS CloudTrail - AdministratorAccess Attached to Newly Created User | This detection identifies a newly created user with the AdministratorAccess policy assigned. The AdministratorAccess policy grants unrestricted access to all resources within the environment. Threat actors have previously used this technique to establish persistence in compromised environments. |
| AWS CloudTrail - AdministratorAccess Policy Assigned Through Long-Term Access Key | This detection identifies the application of the AdministratorAccess policy to a user via a long-term access key. The AdministratorAccess policy grants unlimited access across the environment. This activity is frequently observed in cases of access key compromise. |
| AWS CloudTrail - Legion Tool User Creation Signature | This detection identifies the creation of an IAM user in a significant way associated with the Legion tool. Legion, a credential harvester and SMTP hijacker sold on Telegram, primarily targets web servers using Content Management Systems (CMS), or PHP-based applications. Its aim is to steal valid AWS credentials and pivot to the cloud environment. The tool is also known for conducting spam operations by targeting Simple Email Service (SES). |
| AWS CloudTrail - UpdateLoginProfile with Disabled Password Reset for a Different User | This detection identifies when a console login profile is updated for a different user with the “reset password” flag set to false. This flag indicates whether the user is required to reset their password upon their next login. Threat actors may exploit this to pivot to another account by setting their own console password if MFA is not enforced. Not requiring a password reset on the next logon is not considered a good security practice. |
| AWS CloudTrail Security Lake - AdministratorAccess Attached to Newly Created User | This detection identifies a newly created user with the AdministratorAccess policy assigned. The AdministratorAccess policy grants unrestricted access to all resources within the environment. Threat actors have previously used this technique to establish persistence in compromised environments. |
| AWS CloudTrail Security Lake - AdministratorAccess Policy Assigned Through Long-Term Access Key | This detection identifies the application of the AdministratorAccess policy to a user via a long-term access key. The AdministratorAccess policy grants unlimited access across the environment. This activity is frequently observed in cases of access key compromise. |
| AWS CloudTrail Security Lake - Creation/Modification of EC2 Security Groups to Allow Unrestricted RDP Access | This detection identifies an AWS account that creates or modifies a security group to allow unrestricted RDP access. Threat actors can leverage this to gain access to cloud systems. |
| AWS CloudTrail Security Lake - Creation/Modification of EC2 Security Groups to Allow Unrestricted SMB Access | This detection identifies the creation or modification of a security group to allow unrestricted SMB access using the “AuthorizeSecurityGroupIngress” API call. Threat actors leverage this technique to gain access to cloud systems. |
| Crowdstrike Falcon - Conditional Access policy added | Conditional Access policy added |
| Crowdstrike Falcon - Dangerous file extension | Dangerous file extension |
| Crowdstrike Falcon - Okta - SSO - Policy Deleted Deactivated or Modified | Okta - SSO - Policy Deleted Deactivated or Modified |
| Crowdstrike Falcon - Okta - SSO - Policy Rule Modified | Okta - SSO - Policy Rule Modified |
| Crowdstrike Falcon - Okta - SSO - Suspicious Authentication To Default API Endpoint | Okta - SSO - Suspicious Authentication To Default API
Endpoint |
| Crowdstrike Falcon - Password Reset Attempted for a Suspended User | Password Reset Attempted for a Suspended User |
| CrowdStrike Falcon - Remote Response Session | This is an informational alert that displays commands that have been remotely executed on an asset by a CrowdStrike analyst via Real-Time Response (RTR). |
| Discovery - CloudSponge Email App Registration (O365/Azure) | CloudSponge is a software-as-a-service application that can import email addresses from a variety of sources. Threat actors can use CloudSponge to quickly gather a large volume of contact information, which can then be used for spamming, phishing or sold directly to other threat actors. |
| Discovery - SigParser Email App Registration (O365/Azure) | SigParser is an application that can be used to generate user profiles from data sources like emails, calendars, spreadsheets, etc. Threat actors can use this type of quick discovery to inform actions within a compromised environment, or it can be sold to other threat actors for various uses. |
| Exfiltration - Curl Upload File From Staging Directory | Curl is a data transferring utility that is available natively on
all major operating systems. When used with the
-T |
| Exfiltration - rclone App Registration (O365/Azure) | Rclone is an application that can be used to manage or transfer files to/from cloud storage. Threat actors commonly use rclone to exfiltrate stolen data post compromise. |
| Google Cloud Security Command Center - Clickjacking | A missing response header was detected. To prevent clickjacking,
implement an HTTP response header like an X-Frame-Option (XFO) or
Content-Security-Policy (CSP). Clickjacking https://owasp.org/www-community/attacks/Clickjacking (also called UI Redress) is a web attack where attackers modify the interface of a target website so victims don’t realize they are taking an important action. Implementing an HTTP response header is recommended: XFO headers are easy to use; CSP headers provide more flexibility - Learn more about XFO headers https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options - Learn more about CSO headers https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy |
| Google Cloud Security Command Center - Cloud IDS: Cisco IOS XE CVE-2023-20198 Associated Backdoor Traffic Detection | This signature detects a backdoor for Cisco IOS XE associated with
CVE-2023-20198. |
| Google Cloud Security Command Center - Cloud IDS: Interactsh Tool out-of-band interactions HTTP traffic Detection | This signature detects the traffic for Interactsh tool out-of-band
interactions. |
| Google Cloud Security Command Center - Cloud IDS: Western Digital My Cloud Backdoor | Western Digital My Cloud of family devices exist a hard-code
backdoor admin account which can not be changed. An attacker could
exploit the backdoor by sending a crafted HTTP request. A successful
attack allows for pre auth remote root code execution on the affected
device. |
| Google Cloud Security Command Center - Cross-Origin-Opener-Policy Header Missing | A Cross-Origin-Opener-Policy (COOP) header is missing from the
response. COOP prevents attackers from opening cross-origin popups that
can steal user credentials and execute arbitrary code. |
| Google Cloud Security Command Center - Execution: Workload triggered in sensitive namespace | Someone deployed a workload (e.g., Pod, Deployment) in the
kube-system |
| Google Cloud Security Command Center - GKE Privileged Containers | Privileged containers allow nearly unrestricted host access. They
share namespaces with the host, and lack control group, seccomp,
AppArmor, and capability restrictions. |
| Google Cloud Security Command Center - Initial Access: Suspicious Login Blocked | Initial Access: Suspicious Login Blocked |
| Google Cloud Security Command Center - Persistence: Service Account Created in sensitive namespace | The kube-public namespace is typically reserved for objects accessible by unauthenticated users, and unexpected service account creation should be reviewed. The kube-system namespace is reserved for core Kubernetes components, and any new service accounts created here should be carefully scrutinized as they could grant access to sensitive cluster resources or allow for disruption of critical operations. |
| Google Cloud Security Command Center - Secrets In Environment Variables | The affected resource is storing credentials or other secret information in its environment variables. This is a security vulnerability because environment variables are stored unencrypted, and accessible to all users who have access to the code. |
| Google Cloud Security Command Center - Software Vulnerability | Software Vulnerability |
| Google Cloud Security Command Center - Sql Log Min Duration Statement Enabled | The “log_min_duration_statement” flag causes SQL statements that run longer than a specified time to be logged. It is recommended to disable this setting because SQL statements might contain sensitive information that should not be logged. |
| Google Cloud Security Command Center - Sql Log Min Messages | The “log_min_messages” flag in this Cloud SQL instance is not set to at minimum “warning”. The “log_min_messages” flag controls which message levels are recorded in server logs. The higher the severity, the fewer messages that are recorded. It’s recommended to set this flag to at minimum “warning”. |
| Google Cloud Security Command Center - The Attack Path Simulation (APS) Resource Value Assignment Limit Exceeded | The Attack Path Simulation (APS) Resource Value Assignment Limit Exceeded |
| Initial Access - QuickAssist and Manual Enumeration | Quick Assist is a native Windows utility that provides easy remote access and control of a Windows system. During the early stages of a social engineering attack, threat actors will often attempt to gain access to the target system via Quick Assist. Once access is achieved, enumeration commands typically follow within a short period of time. This detection is intended to alert on this pattern. |
| Initial Access - WScript Executes From Suspicious Archive | This detection identifies the Windows script host (wscript.exe)
being used to execute a script from within an archive, where the naming
scheme used for the archive, or the script, is considered suspicious.
Wscript.exe is the default association for several scripting file
extensions on Windows such as .js |
| Microsoft Defender for Identity - C2C - Suspected SMB packet manipulation (CVE-2020-0796 exploitation) | Suspected SMB packet manipulation (CVE-2020-0796 exploitation) |
| Microsoft Defender for Identity - C2C - Suspected WannaCry ransomware attack | Suspected WannaCry ransomware attack. |
| Microsoft Defender XDR - C2C - Suspicious emails sent by BEC-related user | Suspicious emails were sent by a possibly compromised user account related to an ongoing BEC (business email compromise) fraud attempt. This alert was triggered based on a previous BEC-related alert. |
| Microsoft Defender XDR - C2C - Suspicious sign in with CSRF speedbump trigger | Microsoft Entra ID detected a successful risky sign-in following CSRF (cross-site request forgery) speedbump trigger alert. This typically occurs when the sign-in flow deviates from expected browser behavior, such as session or cookie inconsistencies, missing or invalid forged tokens, or rapid automated request patterns. |
| Microsoft Defender XDR - C2C - User signed in from a known malicious IP Address | A user has signed in from an IP address that Microsoft has confirmed as malicious. This activity might indicate credential theft or account compromise. Investigate the user and the activities from the IP address. |
| Microsoft Defender XDR - C2C - User was created or modified by a compromised account | A user account was created or was added to a privileged group by an account that deployed ransomware or conducted a hands-on-keyboard attack. These activities might be an attempt by an attacker to maintain persistence and bypass attempts to contain the attack by distancing the original compromised account from the succeeding malicious activity. |
| O365 - New Inbox Rule Deletes All Incoming Mail | This detection identifies the creation of an inbox rule that is configured to delete all incoming emails. Threat actors often use this technique to prevent the targeted user from noticing that their account has been compromised. For example, if the compromised email is used to send spam or phishing emails to other targets by the threat actor, the recipients may reply to notify the user, but nothing will be received if an inbox rule is in place to delete all incoming emails. |
| Okta - Login failures with high unknown users count, Login failures from invalid devices | This detection identifies Okta Alert: Login failures with high unknown users count, Login failures from invalid devices |
| Okta - Suspicious login activity | This detection identifies Okta Alert: Suspicious login activity |
| Persistence - Stripped/Packed SSH Reverse Tunnel Localhost to External IP | This detection looks for SSH reverse tunnel command line arguments
being passed on the command line to a process which does not have
recognizable metadata for the SSH utility. Absent metadata is indicative
of either software packing or metadata stripping, both of which can be
used to evade detection. In the wild, threat actors have been observed
loading the SSH utility via a specialized loader. SSH (Secure Shell) is a popular utility that can provide a remote shell over a secure connection and tunnel/proxy network traffic, for example. SSH is available natively on Windows (OpenSSH), MacOS, Linux, and many other popular operating systems. Threat actors commonly use SSH to establish a reverse tunnel, which provides persistence access to hosts within a network that would otherwise be inaccessible to the public internet. This technique is typically used post compromise to provide more reliable access to the target environment. This detection specifically looks for a reverse tunnel connection being established between a local host (potentially compromised asset) and the attacker’s SSH server. An explanation of how the -R |
| Potential Exploitation - SAP Service Downloads File | This detection looks for the SAP application service downloading a
potential payload file and saving it locally, which is indicative of
exploitation. For example, exploitation
of CVE-2025-31324.
Historically, threat actors may upload web shells to compromised servers
via exploitation to establish persistence. |
| PowerShell - Execute Remote Scriptblock in Memory | This detection identifies the usage of PowerShell to download and execute a PowerShell script block in memory. Threat actors commonly use this technique to minimize forensic evidence related to creating files locally, and increase the likelihood of evading detection/analysis. |
| PowerShell - Manual Execution of C# Program via PowerShell Script | This detection identifies the manual execution of a PowerShell
script (.ps1) which contains a C# program. C# program content is
identified by the child process execution of the C Sharp (C#) compiler
csc.exe |
| Scattered Spider IOCs | This detection identifies Indicators of Compromise (IOCs) associated with the Scattered Spider group. Active for several years, the group is known for its extortion tactics, which include data encryption, exfiltration of sensitive information, and public leaks of stolen data when victims refuse to meet their demands |
| Suspicious Authentication - Azure AD / Entra ID Sign-in Risk Level Has Changed for an Account | This identifies when the Risk Level during Sign-in on Azure Active
Directory / MS Entra ID, has been upgraded (ex. from Low to High) within
a 24 Hour period. Azure Active Directory / Microsoft Entra ID utilizes a risk-based sign-in protection system that analyzes sign-in attempts and assigns a risk level (low, medium, or high) based on various factors, including unusual locations, device types, and potential password leaks. These risk levels are then used to trigger conditional access policies, which can require multi-factor authentication or even block access for risky sign-ins. |
| Suspicious Authentication - Harvested Credential Authentication (Possible Brute Force Attack) | This detection flags potential harvested credential attacks by
alerting when multiple users fail to authenticate from the same remote
host. It identifies failed ‘ingress_auth’ logins from known users at
common locations, excluding known services and organizations that may
mask original source IP. An alert is generated after 5 matches within 15
minutes, indicating a threat actor may be using compromised credentials
for brute-forcing or credential stuffing across different user
accounts. Note: This detection rule is OFF by default. Enabling this rule may result in a high volume of alerts and potentially generate noise due to its broad detection scope. Exercise extreme caution when considering enabling this rule and thoroughly evaluate its potential impact on your environment. The detection can be fine-tuned as necessary by creating or applying exceptions to manage alert noise. |
| Suspicious Authentication - Multiple Failed Logins From a Low Cost VPN provider | This detection identifies multiple failed authentication attempts
originating from an IP address associated with low-cost VPN providers.
An alert is generated when a threshold of 20 failed login attempts from
a single source IP is met within a 5-minute interval. This could be an
indication of a potential brute-force attack. |
| Suspicious Authentication - Sovy Cloud | This detection identifies successful authentications from low-cost VPN providers. |
| Suspicious Authentication - Vultr | This detection identifies successful authentications from a low-cost VPN provider. |
| Suspicious Connection - Meterpreter Shell in Staging Directory | This detection identifies processes making a connection to the default Meterpreter port, 4444, after being executed from a commonly used staging directory. The port is used for a reverse shell by Meterpreter, which is a Metasploit payload that is used by both penetration testers and threat actors. Metasploit is a penetration testing framework. |
| Suspicious Process - Antivirus Discovery Commands | Various AutoIT loaders have been observed during malware campaigns. These AutoIT loaders contain commands to check for certain antivirus software by executing tasklist.exe and parsing the results with findstr.exe. |
| Suspicious Process - Node Executes Log File | This detection identifies the usage of Node, a JavaScript runtime executable, to execute a JavaScript script that has been disguised as a log file. Threat actors have been observed using this technique in the wild after gaining initial access via social engineering, where the user is tricked into executing a malicious command under the guise of completing a fake captcha process. |
| Suspicious Process - Proxy Execution Via Electron App | Microsoft Teams may be used to launch additional processes via the gpu-launcher command flag. Legitimate Microsoft binaries may be used to evade defenses like process or signature based defenses by proxying the command execution through the binaries. |
| Suspicious Process - Renamed ScreenConnect Installer in Staging Directory | This detection identifies the execution of a ScreenConnect installer from a known staging directory with a suspicious name, a pattern which indicates that the user executing the installer was most likely phished or otherwise social engineered into executing the file. Rapid7 has observed, for example, renamed ScreenConnect installers being delivered under the guise of tax services or financial proposals. Threat actors use this pretext to pressure users into executing the installers, which then provides them with remote access to the environment, that can be used and/or sold. |
| Suspicious Process - Renamed SoftEther VPN Client | SoftEther VPN is a free, open source, multi platform utility that can be used to connect systems via a virtual private network. The software is legitimate but has also been observed in use by threat actors in the wild, who may rename the executable to evade detection. For example, the threat actor may start a SoftEther VPN server that is configured to establish a connection to a VPN bridge upon execution. The threat actor can then connect to the VPN bridge to access the compromised system within the target network for command and control. |
| Suspicious Process - RVTools Trojan | RVTools is a popular VMware utility used in Windows environments by
system administrators and other IT staff. The tool’s popularity makes it
an appealing target for threat actors, who have been observed
distributing trojanized installers for the tool. The malicious
installers are typically hosted on a typo squatted domain similar, and
are promoted via SEO poisoning. The official RVTools distribution domains have allegedly also been compromised in the past, meaning that any installer for RVTools should be verified prior to execution to avoid malware infection. For example, Bumblee malware has been observed being delivered by trojanized RVTools MSI packages. |
| Suspicious Process - ScreenConnect RunFile in Staging Directory | This detection identifies the usage of ScreenConnect to execute an
executable file (.exe |
| Suspicious Process - Windows CardSpace UI Agent In Non-Standard Directory | The Windows CardSpace User Interface Agent
(icardagt.exe |
| Suspicious Process - xattr Clear All Attributes from /tmp/ File | This detection identifies the usage of the extended attributes
utility (xattr) to strip all of the metadata from a file that exists
within /tmp/ |
Rules With New Suppressions
The Insight Agent is deployed on 21,156 of the 22,000 endpoints that your organization asked the MDR team to monitor. We encourage you to deploy the Insight Agent on the remaining endpoints so we can provide forensic analysis, hunt activities, alert recommendations for all 22,000 planned endpoints.
You have a total of 22,000 endpoint licenses. If the endpoint data provided in this report is inconsistent with planned deployment targets, contact your Customer Advisor.
96
21,156
22,000
22,000
This section provides the total number of administrators identified in your environment.
20
Non-expiring passwords are at high risk of credential theft and reuse. Malicious actors could reuse these passwords on third-party sites. Rapid7 recommends limiting the use of non-expiring passwords. Implementing user password rotation reduces the risk of unauthorized access from harvested credentials.
2952
2371
The following users were observed performing administrator-level actions in your environment. Rapid7 recommends reconciling this list with the approved administrators for your organization.
This section provides visibility into various categories of software observed being executed in the Company Name environment. Rapid7 recommends reviewing the following applications to determine if they are authorized and approved according to the Company Name's acceptable use policy.
PUPs are often non-malicious in nature, but may be admin tools, browser toolbars and other types of software that may serve no business need.
Rapid7 did not identify any potentially unwanted programs in the Company Name environment.
Remote access solutions can be used by threat actors to gain remote access to a system.
Rapid7 identified remote access software ‘(Bomgar, Chrome Remote Desktop, ScreenConnect, VNC, DameWare, PSExec, TeamViewer)’ installed on several systems in the Company Name environment. Rapid7 recommends reviewing the software’s presence on each system to determine whether it has a business need and if the system owner is authorized to use the application.
Rapid7 did not identify any cloud storage solutions in the Company Name environment.
Rapid7 identified multiple registered domains potentially designed to be imposters of the Company Name registered domains. Rapid7 recommends reviewing and blocking the identified domains, if they serve no business need.
When you use Rapid7 MDR services, your logs are collected and matched against curated rules. Each time an event matches certain rule criteria, an alert is sent to our MDR team, and they respond with an investigation. The following sections describe how Rapid7s MDR team defines the priority, status, and disposition of alerts, and provide an overview of our incident reports.
Rapid7 will prioritize alerts based on a combination of the likelihood of malicious activity and the potential impact of the detected activity.
| Priority | Description |
|---|---|
| Critical | Activity occurred in your environment that was almost certainly a malicious event. Critical alerts require immediate response and are the highest priority for the MDR team. |
| High | Activity occurred in your environment that was most likely a malicious event and should be prioritized for analyst review. |
| Medium | Activity occurred in your environment that may be a malicious event and requires analyst review. |
| Low | Activity occurred in your environment that is likely not malicious but still requires review by a Rapid7 MDR Analyst. |
Rapid7 determines the severity of an incident based on a number of factors, including:
| Severity | Incident Definition | Example Incident(s) |
|---|---|---|
| Low | A non-targeted, low-impact threat involving a small number of systems or users which is already contained by existing security controls | A non-targeted phishing attack with no evidence that the recipient(s) provided credentials |
| Medium | A non-targeted, low-impact threat impacting a small number of systems or users, but requiring additional actions from you to fully contain and eradicate the threat | Malware delivered via a non-targeted phishing attack that is only partially blocked on an endpoint |
| High | A high risk or high impact threat with no sign of active attacker activity | Historical evidence of compromise on a web server, with indications of prior lateral movement within the environment |
Once an alert has been investigated, it is marked as Closed, and is assigned one of the following dispositions:
| Disposition | Description |
|---|---|
| Benign | This event was associated with non-malicious behaviors in the context of your environment and did not require additional validation from your organization to close. |
| Reported Benign | This event was reported to your organization and was confirmed as benign. For example, after further investigation, Rapid7 confirmed that a suspicious authorization or honeypot was benign. |
| Reported Malicious | The event represented by this alert was associated with malicious activity and was reported to your organization. Your organization confirmed that this event was unexpected behavior and further analysis indicated a compromise. The communication resulted in changes to your environment, such as password resets or reconfigured services. |
| Security Test | Rapid7 determined that this alert was related to security testing, and did not require customer validation to close. |
| Reported Security Test | Rapid7 determined that this alert was associated with alerts often generated by security testing, and confirmed with your organization. |
| Reported Unknown | Rapid7 reported this alert to your organization, but we did not complete an in-depth investigation. Your organization indicated that this event fulfilled a business use-case or that it was of no concern. |
| System Closed | Alerts that were closed automatically without further analyst review. This includes alerts that on their own do not indicate malicious activity, but are reviewed if they are related to a high fidelity alert. |
| False Positive | An alert was triggered that was not related to the rule logic. Rapid7 triaged the event, and submitted a tuning request to the intel team. |
| PUP | A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. Such software may use an implementation that can compromise privacy or weaken the computer’s security, but is not considered malicious. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. For example, potentially unwanted programs can include software that displays intrusive advertising (adware), tracks the user’s Internet usage to sell information to advertisers (spyware), or injects its own advertising into web pages that a user looks at. Rapid7 does not typically report on PUPs unless analysis of the software leads Rapid7 to conclude that its function is malicious. |
| Artifact Type | Operating System | Description |
|---|---|---|
| Prefetch | Windows | Rapid7 acquires prefetch entries to identify historical execution of suspicious executables, DLLs, and output files. |
| Services | Windows | Windows services are often used by attackers to ensure that malware starts on a system if the system reboots. |
| Scheduled Tasks | Windows | Windows scheduled tasks are often used by attackers to execute code remotely and to maintain malware persistence. |
| Registry-Based Persistence | Windows | The Windows Registry contains dozens of configuration options for ensuring that code executes under various circumstances including system boot, user logon, or application launches. |
| Running Processes | Windows | Running process data can provide indications of malicious processes, including libraries loaded by processes, network connections from processes, and suspicious command-line arguments. |
| Current Services and Startup Items | Mac | Attackers often use Darwin/Mac services and startup items to establish persistence on a compromised host to ensure that malware starts at system reboot. |
| Crontab/Scheduled Tasks | Mac | Attackers can use crontabs/scheduled tasks to maintain persistence on a compromised host. |
| Running Processes | Mac | Running process data can provide indications of malicious processes, including libraries loaded by processes, network connections from processes, and suspicious command-line arguments. |
| Sudoers | Mac | Attackers can modify or abuse sudoer rules to allow privilege escalation by executing a given command as another user, such as “root.” |
| Suid Binaries | Mac | Attackers can utilize these binaries as a backdoor or for privilege escalation, as they are executed as the given username, which is often “root.” |
| Authorized Keys | Mac | Attackers can implement new keys that they are capable of generating once they compromise a user account on a system. This technique can allow the attacker to establish a backdoor for later use. |
| Kernel Extensions | Mac | Kernel extensions run at the operating system’s highest privilege, making them a target for attackers to try to implement persistence on a compromised host. |
| Crontab/Scheduled Tasks | Linux | Attackers can use crontabs/scheduled tasks to maintain persistence on a compromised host. |
| Running Processes | Linux | Running process data can provide indications of malicious processes, including libraries loaded by processes, network connections from processes, and suspicious command-line arguments. |
| Sudoers | Linux | Attackers can modify or abuse sudoer rules to allow privilege escalation by executing a given command as another user, such as “root.” |
| Suid Binaries | Linux | Attackers can utilize these binaries as a backdoor or for privilege escalation, as they are executed as the given username, which is often “root.” |
| Kernel Modules | Linux | Kernel modules run at the operating system’s highest privilege, making them a target for attackers to compromise and use for rootkits. |
| Authorized Keys | Linux | Attackers can implement new keys that they are capable of generating once they compromise a user account on a system. This technique can allow the attacker to establish a backdoor for later use. |
An incident report is created when our MDR team responds to a confirmed malicious incident in your environment. This is a detailed report providing an overview of the incident, findings details, analysis, root cause, and recommended corrective actions to prevent the likelihood of recurrence and/or improve your ability to detect and respond to similar incidents in the future.
The MDR service relies on multiple methods of compromise detection within client environments. In addition to real-time alerting MDR frequently performs targeted threat intelligence-driven hunting by querying forensically-relevant data available to Rapid7 Threat Hunters. If a hunt yields a positive identification of compromise, or potential for compromise, customers will be notified immediately, provided with remediation and mitigation recommendations and a full incident report within 24 hours of the conclusion of the investigation.
% Endpoints Covered - This represents both the overall percentage of endpoints in your organization that have Insight Agents deployed and the percentage of endpoints the MDR team is able to monitor. It is calculated using the total number of endpoints that your organization asked us to monitor, or “Planned Endpoints” in this report, and the actual number of monitored endpoints, which are referred to as “Monitored Endpoints” in this report. The number of Total Endpoint Licenses is not included as part of this percentage.
Monitored Endpoints - The number of endpoints with an Insight Agent installed, and as a result, the number of endpoints the MDR team is able to monitor.
Planned Endpoints - The total number of endpoints the MDR team expected to monitor based on information your organization provided to the MDR team. If the number of planned endpoints is greater than the number of monitored endpoints, this means that there are still endpoints that the MDR team was asked to monitor without an Insight Agent installed. The Insight Agent must be installed on all endpoints that you want the MDR team to monitor.
Total Endpoint Licenses - This is the total number of licenses purchased by your organization, and specified in your contract. This may be higher than your Planned Endpoints based on your organization’s growth estimates and contingency plans.