| InsightIDR Documentation

Docs Menu

Welcome

InsightIDR Overview
InsightIDR Quick Start Guide

Setup and Deployment

System Requirements
- Setting Up a Service Account
Network and Environment Audit
Ports Used by InsightIDR
Collector Overview
Insight Agent
- Configure the Insight Agent to Send Additional Logs
- Microsoft Windows Defender Antivirus
Endpoint Scan
Third Party Agents
- CrowdStrike Falcon Data Replicator
Other Deployment Options

Automation

Get Started with Automation
Insight Orchestrator Overview
- Configure Connections For Automation
- Automation Workflow Templates
Automation Workflows
Automated Enrichment Workflows
- Enrich Alert Data with Open Source Plugins
Alert Triggers
Automation Troubleshooting
Send InsightConnect Events to InsightIDR

How To

Manage Credentials
Search Your Logs
Transform Logs to Universal Event Format
Delete and Reinstall a Collector
Deploy Deception Technology
Investigate an Asset or User
Integrate Other Rapid7 Products
- Integrate Metasploit
- Integrate InsightVM
Manage Event Sources
- Edit Event Sources
- Copy Event Sources to a New Collector
Export Data
Access AWS Resources with EC2 IAM Roles
Monitor Your Security Operations Activities

Best Practices

FIM Recommendations

Concepts and Usage

Rapid7 Resource Names
Detection Rules
Alerts
Investigations
Assets on Your Domain
Dashboards and Reports
Deception Technology
File Access Activity Monitoring
File Integrity Monitoring
- File Integrity Monitoring for Linux
- Search Logs for FIM Events
Log Search
Network Rules
Network Traffic Analysis
InsightIDR REST API
- Platform Audit Logs API
Threats
- Utilize Existing Threats
- Add and Manage Threats
Users and Accounts on Your Domain
Quick Actions
Data Storage and Retention FAQs

Detection Library

Overview
ABA: Rules by Threat
ABA: Rules by Endpoint

Event Source Configuration

InsightIDR Event Sources
Data Collection Methods
Advanced Event Source Settings
Monitor Event Source Health
Event Source Troubleshooting
Auto Configure
Active Directory
- Troubleshooting Active Directory
Advanced Malware
- FireEye NX
Cloud Services
Data Exporter
Microsoft SQL Database Audit Logs
DHCP
DNS
Email & ActiveSync
- OWA/ActiveSync
Firewall
IDS
LDAP
- LDAP Troubleshooting
- AWS Managed Microsoft AD
Universal Event Sources
Raw Data
Log Aggregators
Third Party Alerts
Virus Scan
VPN
Web Proxy

Administration

Monthly Data Usage
Browser Settings
Email Alerts
User Management
Single Sign-On

Release Notes

InsightIDR release notes

Support

Contact the Rapid7 Support team
Share an idea with Rapid7

On This Page

Darkhotel

Welcome

InsightIDR Overview
InsightIDR Quick Start Guide

Setup and Deployment

System Requirements
- Setting Up a Service Account
Network and Environment Audit
Ports Used by InsightIDR
Collector Overview
Insight Agent
- Configure the Insight Agent to Send Additional Logs
- Microsoft Windows Defender Antivirus
Endpoint Scan
Third Party Agents
- CrowdStrike Falcon Data Replicator
Other Deployment Options

Automation

Get Started with Automation
Insight Orchestrator Overview
- Configure Connections For Automation
- Automation Workflow Templates
Automation Workflows
Automated Enrichment Workflows
- Enrich Alert Data with Open Source Plugins
Alert Triggers
Automation Troubleshooting
Send InsightConnect Events to InsightIDR

How To

Manage Credentials
Search Your Logs
Transform Logs to Universal Event Format
Delete and Reinstall a Collector
Deploy Deception Technology
Investigate an Asset or User
Integrate Other Rapid7 Products
- Integrate Metasploit
- Integrate InsightVM
Manage Event Sources
- Edit Event Sources
- Copy Event Sources to a New Collector
Export Data
Access AWS Resources with EC2 IAM Roles
Monitor Your Security Operations Activities

Best Practices

FIM Recommendations

Concepts and Usage

Rapid7 Resource Names
Detection Rules
Alerts
Investigations
Assets on Your Domain
Dashboards and Reports
Deception Technology
File Access Activity Monitoring
File Integrity Monitoring
- File Integrity Monitoring for Linux
- Search Logs for FIM Events
Log Search
Network Rules
Network Traffic Analysis
InsightIDR REST API
- Platform Audit Logs API
Threats
- Utilize Existing Threats
- Add and Manage Threats
Users and Accounts on Your Domain
Quick Actions
Data Storage and Retention FAQs

Detection Library

Overview
ABA: Rules by Threat
ABA: Rules by Endpoint

Event Source Configuration

InsightIDR Event Sources
Data Collection Methods
Advanced Event Source Settings
Monitor Event Source Health
Event Source Troubleshooting
Auto Configure
Active Directory
- Troubleshooting Active Directory
Advanced Malware
- FireEye NX
Cloud Services
Data Exporter
Microsoft SQL Database Audit Logs
DHCP
DNS
Email & ActiveSync
- OWA/ActiveSync
Firewall
IDS
LDAP
- LDAP Troubleshooting
- AWS Managed Microsoft AD
Universal Event Sources
Raw Data
Log Aggregators
Third Party Alerts
Virus Scan
VPN
Web Proxy

Administration

Monthly Data Usage
Browser Settings
Email Alerts
User Management
Single Sign-On

Release Notes

InsightIDR release notes

Support

Contact the Rapid7 Support team
Share an idea with Rapid7

Darkhotel

Darkhotel is a threat group that has been active since at least 2004. This group has conducted activity on hotel and business center WiFi and physical connections, and peer-to-peer and file sharing networks. This threat group has also conducted spear phishing attacks.

Other names for this threat

APT-C-06, DUBNIUM, Fallout Team, Karba, Luder, Nemim, Nemin, Pioneer, Shadow Crane, SIG25, Tapaoux

The following is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Suspicious DNS Request - Darkhotel Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.

Recommendation

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

Acquire Infrastructure - T1583
Domains - T1583.001
Compromise Infrastructure - T1584
Domains - T1584.001

Suspicious Process - Darkhotel Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - Darkhotel Related Domain Observed

Description

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.

Recommendation

MITRE ATT&CK Techniques

Acquire Infrastructure - T1583
Domains - T1583.001
Virtual Private Server - T1583.003
Server - T1583.004
Compromise Infrastructure - T1584
Domains - T1584.001
Virtual Private Server - T1584.003
Server - T1584.004

Did this page help you?

On This Page

Darkhotel