Rules by Threat

In this topic, browse our existing detection rules by rule set and review newly published detections and actionable recommendations. The Rapid7 Threat Intelligence team makes frequent updates to our detection rules to adapt to the ever-changing tactics of malicious actors.

GroupDescriptionAlternate Names
AgriusThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
AntlionThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
APT GroupsAdvanced persistent threat (APT) groups are threat actors operated by nation states or state-sponsored groups. Our ready-made detection rules detect the following APT groups: APT1, APT2, APT3, APT4, APT5, APT6, APT10, APT12, APT15, APT16, APT17, APT18, APT19, APT20, APT27, APT 28, APT 29, APT31, APT32, APT33, APT34, APT35, APT36, APT37, APT38, APT39, APT40, APT41.
BahamutThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Balikbayan FoxesThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Bax 026 of IranThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
BlackOasisBlackOasis is a Middle Eastern-based threat group. This threat group has targeted prominent figures in the United Nations, opposition bloggers, activists, regional news correspondents, and think tanks.
BlackshadowThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
BlackTechBlackTech is a cyber espionage group that has targeted victims in East Asia, primarilyTaiwan, and also Japan and Hong Kong.CIRCUIT PANDA, HUAPI, Temp.Overboard
Blind EagleBlind Eagle is a suspected South American espionage group that has been active since at least 2018. The group primarily targets Colombian government institutions and corporations.APT-C-36
BRONZE BUTLERBRONZE BUTLER is a cyber espionage group that appears to be Chinese-based and has been active since at least 2008. This group has primarily targeted Japanese organizations.REDBALDKNIGHT, Tick
CactusPete APTThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
CarbanakCarbanak is a threat group that primarily targets banks, and also refers to malware of the same name.Anunak, Carbon Spider
ChamelgangThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Cloud Service ActivityThese detection rules identify suspicious behavior from Cloud Service Activity sent to InsightIDR.
Cobalt GroupCobalt Group is a financially motivated threat group that has primarily targeted financial institutions. This threat group has conducted intrusions to steal money by targeting ATM, card processing, payment, and SWIFT systems.Cobalt, Cobalt Gang, Cobalt Spider, GOLD KINGSWOOD
Cosmic LynxThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
CrouchingYetiThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Current EventsThis is a collection of rules for current events and rapid response to developing situations.
Dark BasinThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Dark CaracalDark Caracal is a threat group attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012.
DarkhotelDarkhotel is a threat group that has conducted activity on hotel and business center WiFi and physical connections, and peer-to-peer and file sharing networks.APT-C-06, DUBNIUM, Fallout Team, Karba, Luder, Nemim, Nemin, Pioneer, Shadow Crane, SIG25, Tapaoux
DarkHydrusDarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016.LazyMeerkat
Deep PandaDeep Panda is a suspected Chinese-based threat group that has targeted several industries, including government, defense, financial, and telecommunications.APT26, Black Vine, Group 13, JerseyMikes, KungFu Kittens, PinkPanther, Shell Crew, Turbine Panda, WebMasters
DragonOKDragonOK is a threat group that has targeted Japanese organizations with phishing emails.Moafee
DustSquadThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Dust StormDust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries.Stone Panda
ElderwoodThis group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers.Beijing Group, Elderwood Gang, Sneaky Panda
Elephant BeetleThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Energetic BearThis group initially targeted defense and aviation companies, but shifted focus on the energy industry in early 2013. This group has also targeted companies related to industrial control systems.ALLANITE, Crouching Yeti, Dragonfly, ELECTRUM, Group 24, Havex, IRON LIBERTY, Koala Team, Palmetto Fusion
Epic ManchegoThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Evil CorpThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
EvilnumThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
FIN GroupsFinancial threat groups (FIN) comprise of actors that target financial institutions. The following rules detect the presence of FIN groups based on publicly available information: FIN4, FIN5, FIN6, FIN7, FIN8, FIN10.
FunnyDreamThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
GallmakerGallmaker is a cyber espionage group that has targeted victims in the Middle East and has primarily targeted victims in the defense, military, and government industries.
Gamaredon GroupGamaredon Group is a threat group that has been active since at least 2013, and has targeted individuals with probable involvement in the Ukrainian government.
GCMANGCMAN is a threat group that has focused on targeting banks to transfer money to e-currency services.
GhostEmperorThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Gorgon GroupGorgon Group is a threat group whose members are suspected to be Pakistani-based, or have other connections to Pakistan. This threat group has performed criminal and targeted attacks, including campaigns against governmental organizations in the United Kingdom, Spain, Russia, and the United States.
GreenbugThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Group5Group5 is a threat group with suspected Iranian connections. This threat group has targeted individuals connected to the Syrian opposition through spear phishing and watering hole attacks.
Group 72Group 72 is a cyber espionage group suspected to be associated with the Chinese government.
HafniumThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
HarvesterThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
HexaneThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Hidden LynxThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Hive RansomwareThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
HoneybeeHoneybee is a campaign led by an unknown malicious actor that has targeted humanitarian aid organizations, and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada.
IndraThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
IronHuskyThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
KeyBoyKeyBoy is an unaffiliated threat group that has led targeted campaigns against victims in Taiwan, the Philippines, and Hong Kong. This threat group has primarily targeted the government, healthcare, transportation, and high-tech industries.APT23, Operation Tropic Trooper, Pirate Panda, Tropic Trooper
KilllSomeOneThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
KimsukyThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Lazarus GroupLazarus Group is a threat group that has been attributed to the North Korean government.Andariel, Appleworm, APT-C-26, APT38, Bluenoroff, Bureau 121, COVELLITE, Dark Seoul, GOP, Group 77, Guardian of Peace, Guardians of Peace, Hastati Group, HIDDEN COBRA, Labyrinth Chollima, Lazarus, NewRomanic Cyber Army Team, NICKEL ACADEMY, Operation AppleJesus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Silent Chollima, Stardust Chollima, Subgroup: Andariel, Subgroup: Bluenoroff, Unit 121, Whois Hacking Team, WHOis Team, ZINC
LeafminerLeafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East.Raspite
Lebanese CedarThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Lotus BlossomLotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.DRAGONFISH, Elise, Esile, Spring Dragon, ST Group
MacheteMachete is a threat group that has been active since at least 2010, and has targeted high-profile government entities in Latin American countries.El Machete, machete-apt
MagnatThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
MalsmokeThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Migrated Legacy RulesThis is a collection of rules that have been migrated from the Legacy UBA Detection Rules tab.
ModifiedElephantThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
MofangMofang is a likely Chinese-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure.Superman
MoleratsMolerats is a politically-motivated threat group that has been active since 2012. This group has primarily targeted victims in the Middle East, Europe, and the United States.Extreme Jackal, Gaza Cybergang, Gaza Hackers Team, Moonlight, Operation Molerats
Moses StaffThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
MuddyWaterMuddyWater is an Iranian-based threat group that has primarily targeted Middle Eastern countries, but has also targeted European and North American countries. This group has primarily targeted victims in the telecommunications, government IT services, and oil industries.Seedworm, Static Kitten, TEMP.Zagros
MuddywaterThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Mustang PandaThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Mythic LeopardThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
NaikonNaikon is a threat group that has focused on victims around the South China Sea. This threat group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).APT30, APT.Naikon, Camerashy, Hellsing, Lotus Panda, Override Panda, PLA Unit 78020
NEODYMIUMNEODYMIUM is an activity group that conducted a campaign in May 2016 and has primarily targeted Turkish victims.
Network Traffic AnalysisThese detections identify suspicious activity from network flow records generated by Insight Network Sensor.
Night DragonNight Dragon is a campaign name for activity involving a primarily Chinese-based threat group.
North Korean State-Sponsored ActorNorth Korean state-sponsored actor is a threat group who has focused on specifically targeting security researchers for compromise.
OldGremlinThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
OrangewormOrangeworm is a threat group that has targeted organizations in the healthcare industry in the United States, Europe, and Asia since at least 2015, for the suspected purpose of corporate espionage.
PatchworkPatchwork is a cyber espionage group that has been active since at least December 2015. While this group has not been definitively attributed to India, circumstantial evidence suggests that this group may be a pro-Indian or Indian-based entity. Patchwork has targeted industries related to diplomatic and government agencies.APT-C-09, Chinastrats, Dropping Elephant, Hangover Group, MONSOON, Operation Hangover, Quilted Tiger, Sarit
PLATINUMPLATINUM is an activity group that has targeted victims associated with governments and related organizations in South and Southeast Asia.TwoForOne
Poseidon GroupPoseidon group is a threat group that has used information exfiltrated from victims to blackmail companies into contracting Poseidon Group as a security firm.
PROMETHIUMPromethium is an activity group that conducted a campaign in May 2016 and has primarily targeted Turkish victims.StrongPity
PyxieThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
RancorRancor is a threat group that has led targeted campaigns against Southeast Asia.Rancor Group
RedCurlThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Roaming MantisThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
RockeRocke is an alleged Chinese-speaking threat group who has primarily used cryptojacking to steal victim system resources to mine cryptocurrency.
RTMRTM is a cyber criminal group that has been active since at least 2015, and has primarily targeted victims of remote banking systems in Russia and neighboring countries.
Rocket KittenThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
SCADAfenceThe SCADAfence platform extends visibility into IT and OT networks. This is a collection of detection rules that work with the InsightIDR SCADAFence integration.
Sandworm TeamSandworm Team is a destructive Russian-based threat group attributed to Russian GRU Unit 74455 by the United States Department of Justice and United Kingdom National Cyber Security Centre.Black Energy, Black Energy (Group), ELECTRUM, Iron Viking, Quedagh, Sandworm, TeleBots, TEMP.Noble, VOODOO BEAR
Scarlet MimicScarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government.
SideCopyThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
SilenceThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Silent LibrarianThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
SilverTerrierSilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier has primarily targeted organizations in high technology, higher education, and manufacturing industries.
Soft CellSoft Cell is a group that is reportedly affiliated with, and sponsored by China. This group has been active since at least 2012, and has compromised high-profile telecommunications networks.
SowbugSowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015.
Spring Dragon APTHoneybee is a campaign led by an unknown malicious actor that has targeted humanitarian aid organizations, and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada.
Stealth FalconStealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012.FruityArmor
Stolen PencilStolen Pencil is a suspected North Korean-based threat group that has been active since at least May 2018. This threat group appears to have targeted academic institutions, but its motives remain unclear.
StriderStrider is a threat group that has been active since at least 2011, and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.ProjectSauron
StrongPityHoneybee is a campaign led by an unknown malicious actor that has targeted humanitarian aid organizations, and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada.
SuckflySuckfly is a Chinese-based threat group that has been active since at least 2014.Axiom
Suspicious Ingress AuthenticationsThese detection rules identify suspicious activity from ingress authentication records collected by InsightIDR Collectors.
Suspicious Network ActivityThese detection rules identify suspicious activity from network sessions evaluated by Insight Network Sensor.
Suspicious Network ConnectionsThese detection rules identify suspicious activity from Firewall Activity collected and sent to InsightIDR.
Suspicious Process AccessThese detections identify suspicious activity from Sysmon Process Access records collected by Insight Agent from Windows endpoints.
Suspicious Registry EventsThese detections identify suspicious activity from Sysmon Registry Event records collected by Insight Agent from Windows endpoints.
Suspicious User BehaviorThese detections identify suspicious user behavior from user events generated to detect compromised credentials, lateral movement, and other malicious behavior.
Suspicious Web RequestsThese detection rules identify suspicious activity from Web Proxy Activity collected and sent to InsightIDR.
TA459TA459 is a suspected Chinses-based threat group that has targeted several countries, including Russia, Belarus, and Mongolia.
TA505This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
TaidoorTaidoor is a threat group that has been active since at least 2009, and has primarily targeted the Taiwanese government.
TeamTNTThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
The Mabna HackersThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
The White CompanyThe White Company is a suspected state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led the Operation Shaheen espionage campaign that targeted government and military organizations in Pakistan.
Threat CommandThis is a collection of rules for alerts generated by Rapid7 Threat Command.
Threat Group-1314Threat Group-1314 is a threat group that has used compromised credentials to log into victim remote access infrastructure.TG-1314
ThripThrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the United States and Southeast Asia.Lotus Panda
Tropic TropperThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Turbine PandaThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
TurlaTurla is a Russian-based threat group that has infected victims in over 45 countries, spanning multiple industries, including government, embassies, military, education, research, and pharmaceutical since 2004.Krypton, Snake, Turla Group, VENOMOUS BEAR, Waterbug, WhiteBear
UAC-0056This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
UNC1151This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
UNC1945This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Velvet ChollimaVelvet Chollima is a North Korean-based threat group that has been active since at least September 2013. This threat group has targeted Korean think tanks and organizations attempting to interrupt North Korean nuclear technology advancement.Kimsuki, Kimsuky
WhiteflyWhitefly is a cyber espionage group that has been active since at least 2017. This group has primarily targeted organizations in Singapore across several industries and focused on stealing large amounts of sensitive information.
Windows Suspicious ProcessThese detections identify attacker techniques used by malicious actors to perform a variety of tasks on the host’s environment.
WindshiftWindShift is a threat group that has been active since at least 2017, and has targeted specific individuals for surveillance in government departments and critical infrastructure across the Middle East.Bahamut
WIRTEWIRTE is a threat group that has been active since at least August 2018. The group has focused on targeting Middle East defense and diplomats.
Wizard SpiderWIZARD SPIDER is financially motivated group that has been conducting ransomware campaigns since at least August 2018, primarily targeting large organizations.TEMP.MixMaster, GRIM SPIDER
XDSpyThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
YalishandaThis is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.