Rules by Threat
In this topic, browse our existing detection rules by rule set and review newly published detections and actionable recommendations. The Rapid7 Threat Intelligence team makes frequent updates to our detection rules to adapt to the ever-changing tactics of malicious actors.
| Group | Description | Alternate Names | |
|---|---|---|---|
| Agrius | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Antlion | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| APT Groups | Advanced persistent threat (APT) groups are threat actors operated by nation states or state-sponsored groups. Our ready-made detection rules detect the following APT groups: APT1, APT2, APT3, APT4, APT5, APT6, APT10, APT12, APT15, APT16, APT17, APT18, APT19, APT20, APT27, APT 28, APT 29, APT31, APT32, APT33, APT34, APT35, APT36, APT37, APT38, APT39, APT40, APT41. | ||
| Bahamut | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Balikbayan Foxes | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Bax 026 of Iran | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| BlackOasis | BlackOasis is a Middle Eastern-based threat group. This threat group has targeted prominent figures in the United Nations, opposition bloggers, activists, regional news correspondents, and think tanks. | ||
| Blackshadow | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| BlackTech | BlackTech is a cyber espionage group that has targeted victims in East Asia, primarilyTaiwan, and also Japan and Hong Kong. | CIRCUIT PANDA, HUAPI, Temp.Overboard | |
| Blind Eagle | Blind Eagle is a suspected South American espionage group that has been active since at least 2018. The group primarily targets Colombian government institutions and corporations. | APT-C-36 | |
| BRONZE BUTLER | BRONZE BUTLER is a cyber espionage group that appears to be Chinese-based and has been active since at least 2008. This group has primarily targeted Japanese organizations. | REDBALDKNIGHT, Tick | |
| CactusPete APT | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Carbanak | Carbanak is a threat group that primarily targets banks, and also refers to malware of the same name. | Anunak, Carbon Spider | |
| Chamelgang | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Cloud Service Activity | These detection rules identify suspicious behavior from Cloud Service Activity sent to InsightIDR. | ||
| Cobalt Group | Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions. This threat group has conducted intrusions to steal money by targeting ATM, card processing, payment, and SWIFT systems. | Cobalt, Cobalt Gang, Cobalt Spider, GOLD KINGSWOOD | |
| Cosmic Lynx | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| CrouchingYeti | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Current Events | This is a collection of rules for current events and rapid response to developing situations. | ||
| Dark Basin | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Dark Caracal | Dark Caracal is a threat group attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. | ||
| Darkhotel | Darkhotel is a threat group that has conducted activity on hotel and business center WiFi and physical connections, and peer-to-peer and file sharing networks. | APT-C-06, DUBNIUM, Fallout Team, Karba, Luder, Nemim, Nemin, Pioneer, Shadow Crane, SIG25, Tapaoux | |
| DarkHydrus | DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. | LazyMeerkat | |
| Deep Panda | Deep Panda is a suspected Chinese-based threat group that has targeted several industries, including government, defense, financial, and telecommunications. | APT26, Black Vine, Group 13, JerseyMikes, KungFu Kittens, PinkPanther, Shell Crew, Turbine Panda, WebMasters | |
| DragonOK | DragonOK is a threat group that has targeted Japanese organizations with phishing emails. | Moafee | |
| DustSquad | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Dust Storm | Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. | Stone Panda | |
| Elderwood | This group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. | Beijing Group, Elderwood Gang, Sneaky Panda | |
| Elephant Beetle | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Energetic Bear | This group initially targeted defense and aviation companies, but shifted focus on the energy industry in early 2013. This group has also targeted companies related to industrial control systems. | ALLANITE, Crouching Yeti, Dragonfly, ELECTRUM, Group 24, Havex, IRON LIBERTY, Koala Team, Palmetto Fusion | |
| Epic Manchego | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Evil Corp | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Evilnum | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| FIN Groups | Financial threat groups (FIN) comprise of actors that target financial institutions. The following rules detect the presence of FIN groups based on publicly available information: FIN4, FIN5, FIN6, FIN7, FIN8, FIN10. | ||
| FunnyDream | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Gallmaker | Gallmaker is a cyber espionage group that has targeted victims in the Middle East and has primarily targeted victims in the defense, military, and government industries. | ||
| Gamaredon Group | Gamaredon Group is a threat group that has been active since at least 2013, and has targeted individuals with probable involvement in the Ukrainian government. | ||
| GCMAN | GCMAN is a threat group that has focused on targeting banks to transfer money to e-currency services. | ||
| GhostEmperor | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Gorgon Group | Gorgon Group is a threat group whose members are suspected to be Pakistani-based, or have other connections to Pakistan. This threat group has performed criminal and targeted attacks, including campaigns against governmental organizations in the United Kingdom, Spain, Russia, and the United States. | ||
| Greenbug | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Group5 | Group5 is a threat group with suspected Iranian connections. This threat group has targeted individuals connected to the Syrian opposition through spear phishing and watering hole attacks. | ||
| Group 72 | Group 72 is a cyber espionage group suspected to be associated with the Chinese government. | ||
| Hafnium | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Harvester | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Hexane | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Hidden Lynx | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Hive Ransomware | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Honeybee | Honeybee is a campaign led by an unknown malicious actor that has targeted humanitarian aid organizations, and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. | ||
| Indra | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| IronHusky | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| KeyBoy | KeyBoy is an unaffiliated threat group that has led targeted campaigns against victims in Taiwan, the Philippines, and Hong Kong. This threat group has primarily targeted the government, healthcare, transportation, and high-tech industries. | APT23, Operation Tropic Trooper, Pirate Panda, Tropic Trooper | |
| KilllSomeOne | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Kimsuky | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Lazarus Group | Lazarus Group is a threat group that has been attributed to the North Korean government. | Andariel, Appleworm, APT-C-26, APT38, Bluenoroff, Bureau 121, COVELLITE, Dark Seoul, GOP, Group 77, Guardian of Peace, Guardians of Peace, Hastati Group, HIDDEN COBRA, Labyrinth Chollima, Lazarus, NewRomanic Cyber Army Team, NICKEL ACADEMY, Operation AppleJesus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Silent Chollima, Stardust Chollima, Subgroup: Andariel, Subgroup: Bluenoroff, Unit 121, Whois Hacking Team, WHOis Team, ZINC | |
| Leafminer | Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East. | Raspite | |
| Lebanese Cedar | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Lotus Blossom | Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. | DRAGONFISH, Elise, Esile, Spring Dragon, ST Group | |
| Machete | Machete is a threat group that has been active since at least 2010, and has targeted high-profile government entities in Latin American countries. | El Machete, machete-apt | |
| Magnat | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Malsmoke | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Migrated Legacy Rules | This is a collection of rules that have been migrated from the Legacy UBA Detection Rules tab. | ||
| ModifiedElephant | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Mofang | Mofang is a likely Chinese-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. | Superman | |
| Molerats | Molerats is a politically-motivated threat group that has been active since 2012. This group has primarily targeted victims in the Middle East, Europe, and the United States. | Extreme Jackal, Gaza Cybergang, Gaza Hackers Team, Moonlight, Operation Molerats | |
| Moses Staff | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| MuddyWater | MuddyWater is an Iranian-based threat group that has primarily targeted Middle Eastern countries, but has also targeted European and North American countries. This group has primarily targeted victims in the telecommunications, government IT services, and oil industries. | Seedworm, Static Kitten, TEMP.Zagros | |
| Muddywater | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Mustang Panda | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Mythic Leopard | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Naikon | Naikon is a threat group that has focused on victims around the South China Sea. This threat group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). | APT30, APT.Naikon, Camerashy, Hellsing, Lotus Panda, Override Panda, PLA Unit 78020 | |
| NEODYMIUM | NEODYMIUM is an activity group that conducted a campaign in May 2016 and has primarily targeted Turkish victims. | ||
| Network Traffic Analysis | These detections identify suspicious activity from network flow records generated by Insight Network Sensor. | ||
| Night Dragon | Night Dragon is a campaign name for activity involving a primarily Chinese-based threat group. | ||
| North Korean State-Sponsored Actor | North Korean state-sponsored actor is a threat group who has focused on specifically targeting security researchers for compromise. | ||
| OldGremlin | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Orangeworm | Orangeworm is a threat group that has targeted organizations in the healthcare industry in the United States, Europe, and Asia since at least 2015, for the suspected purpose of corporate espionage. | ||
| Patchwork | Patchwork is a cyber espionage group that has been active since at least December 2015. While this group has not been definitively attributed to India, circumstantial evidence suggests that this group may be a pro-Indian or Indian-based entity. Patchwork has targeted industries related to diplomatic and government agencies. | APT-C-09, Chinastrats, Dropping Elephant, Hangover Group, MONSOON, Operation Hangover, Quilted Tiger, Sarit | |
| PLATINUM | PLATINUM is an activity group that has targeted victims associated with governments and related organizations in South and Southeast Asia. | TwoForOne | |
| Poseidon Group | Poseidon group is a threat group that has used information exfiltrated from victims to blackmail companies into contracting Poseidon Group as a security firm. | ||
| PROMETHIUM | Promethium is an activity group that conducted a campaign in May 2016 and has primarily targeted Turkish victims. | StrongPity | |
| Pyxie | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Rancor | Rancor is a threat group that has led targeted campaigns against Southeast Asia. | Rancor Group | |
| RedCurl | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Roaming Mantis | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Rocke | Rocke is an alleged Chinese-speaking threat group who has primarily used cryptojacking to steal victim system resources to mine cryptocurrency. | ||
| RTM | RTM is a cyber criminal group that has been active since at least 2015, and has primarily targeted victims of remote banking systems in Russia and neighboring countries. | ||
| Rocket Kitten | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| SCADAfence | The SCADAfence platform extends visibility into IT and OT networks. This is a collection of detection rules that work with the InsightIDR SCADAFence integration. | ||
| Sandworm Team | Sandworm Team is a destructive Russian-based threat group attributed to Russian GRU Unit 74455 by the United States Department of Justice and United Kingdom National Cyber Security Centre. | Black Energy, Black Energy (Group), ELECTRUM, Iron Viking, Quedagh, Sandworm, TeleBots, TEMP.Noble, VOODOO BEAR | |
| Scarlet Mimic | Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. | ||
| SideCopy | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Silence | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Silent Librarian | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| SilverTerrier | SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier has primarily targeted organizations in high technology, higher education, and manufacturing industries. | ||
| Soft Cell | Soft Cell is a group that is reportedly affiliated with, and sponsored by China. This group has been active since at least 2012, and has compromised high-profile telecommunications networks. | ||
| Sowbug | Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. | ||
| Spring Dragon APT | Honeybee is a campaign led by an unknown malicious actor that has targeted humanitarian aid organizations, and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. | ||
| Stealth Falcon | Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. | FruityArmor | |
| Stolen Pencil | Stolen Pencil is a suspected North Korean-based threat group that has been active since at least May 2018. This threat group appears to have targeted academic institutions, but its motives remain unclear. | ||
| Strider | Strider is a threat group that has been active since at least 2011, and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. | ProjectSauron | |
| StrongPity | Honeybee is a campaign led by an unknown malicious actor that has targeted humanitarian aid organizations, and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. | ||
| Suckfly | Suckfly is a Chinese-based threat group that has been active since at least 2014. | Axiom | |
| Suspicious Ingress Authentications | These detection rules identify suspicious activity from ingress authentication records collected by InsightIDR Collectors. | ||
| Suspicious Network Activity | These detection rules identify suspicious activity from network sessions evaluated by Insight Network Sensor. | ||
| Suspicious Network Connections | These detection rules identify suspicious activity from Firewall Activity collected and sent to InsightIDR. | ||
| Suspicious Process Access | These detections identify suspicious activity from Sysmon Process Access records collected by Insight Agent from Windows endpoints. | ||
| Suspicious Registry Events | These detections identify suspicious activity from Sysmon Registry Event records collected by Insight Agent from Windows endpoints. | ||
| Suspicious User Behavior | These detections identify suspicious user behavior from user events generated to detect compromised credentials, lateral movement, and other malicious behavior. | ||
| Suspicious Web Requests | These detection rules identify suspicious activity from Web Proxy Activity collected and sent to InsightIDR. | ||
| TA459 | TA459 is a suspected Chinses-based threat group that has targeted several countries, including Russia, Belarus, and Mongolia. | ||
| TA505 | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Taidoor | Taidoor is a threat group that has been active since at least 2009, and has primarily targeted the Taiwanese government. | ||
| TeamTNT | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| The Mabna Hackers | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| The White Company | The White Company is a suspected state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led the Operation Shaheen espionage campaign that targeted government and military organizations in Pakistan. | ||
| Threat Command | This is a collection of rules for alerts generated by Rapid7 Threat Command. | ||
| Threat Group-1314 | Threat Group-1314 is a threat group that has used compromised credentials to log into victim remote access infrastructure. | TG-1314 | |
| Thrip | Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the United States and Southeast Asia. | Lotus Panda | |
| Tropic Tropper | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Turbine Panda | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Turla | Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning multiple industries, including government, embassies, military, education, research, and pharmaceutical since 2004. | Krypton, Snake, Turla Group, VENOMOUS BEAR, Waterbug, WhiteBear | |
| UAC-0056 | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| UNC1151 | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| UNC1945 | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Velvet Chollima | Velvet Chollima is a North Korean-based threat group that has been active since at least September 2013. This threat group has targeted Korean think tanks and organizations attempting to interrupt North Korean nuclear technology advancement. | Kimsuki, Kimsuky | |
| Whitefly | Whitefly is a cyber espionage group that has been active since at least 2017. This group has primarily targeted organizations in Singapore across several industries and focused on stealing large amounts of sensitive information. | ||
| Windows Suspicious Process | These detections identify attacker techniques used by malicious actors to perform a variety of tasks on the host’s environment. | ||
| Windshift | WindShift is a threat group that has been active since at least 2017, and has targeted specific individuals for surveillance in government departments and critical infrastructure across the Middle East. | Bahamut | |
| WIRTE | WIRTE is a threat group that has been active since at least August 2018. The group has focused on targeting Middle East defense and diplomats. | ||
| Wizard Spider | WIZARD SPIDER is financially motivated group that has been conducting ransomware campaigns since at least August 2018, primarily targeting large organizations. | TEMP.MixMaster, GRIM SPIDER | |
| XDSpy | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. | ||
| Yalishanda | This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. |
Did this page help you?