Suspicious Web Requests

These detection rules identify suspicious activity from Web Proxy Activity collected and sent to InsightIDR.

Blocked Web Request - Rapid7.com

Description

This detection identifies blocked requests to 'insight.rapid7.com' or 'endpoint.ingress.rapid7.com'. Endpoints running the Insight Agent need access to this domain to deliver information to the InsightIDR platform for monitoring purposes. Endpoints need access via one of three available methods: direct network connection or access to an InsightIDR Collector or proxy that has network access to these domains.

Recommendation

If you are running the Insight Agent in an environment that needs to restrict outbound agent access to InsightIDR, this alert can tell you which web proxies are configured as expected. If you operate in this type of environment, you may want to turn off the alert. See Alert Settings Attacker Behavior Analytics Blocked Web Request - Rapid7.com and set the state to Disabled.

If you are not restricting how the Insight Agent connects to InsightIDR, this alert means your environment may be misconfigured. Review the configuration of the web proxies involved and ensure they are not blocking 'rapid7.com'.

For more information on the networking requirements, view the documentation: https://docs.rapid7.com/insight-agent/networking/https://docs.rapid7.com/insightidr/collector-requirements#firewall-rules

Suspicious Web Request - Destination IP in Cobalt Strike C2 List

Description

This detection identifies web proxy records that have a destination address that is in Cobalt Strike C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to serve Cobalt Strike beacon payload.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - Destination IP in Solarmarker C2 List

Description

This detection identifies web proxy records that have a destination addresses known by Rapid7 to be associated with SolarMarker. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to serve information-stealing payloads.

Recommendation

Investigate the host that is the source of the web traffic. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Web Protocols - T1071.001
Suspicious Web Request - URI Similar to known SUNBURST Activity

Description

This detection identifies URI patterns matching known behavior from the SUNBURST backdoored version of SolarWinds Orion. The HTTP requests resemble legitimate SolarWinds traffic, but the requests are to non-SolarWinds domains.

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Supply Chain Compromise - T1195
  • Compromise Software Supply Chain - T1195.002