Campaigns
The Campaigns module displays a centralized list of all known campaigns. You can use the filters to refine the list results to a specific targeted region, targeted industry, or threat actor type.
What is a campaign?
What is a campaign?
A campaign is a planned sequence of malicious actions executed by a threat actor over time to accomplish a specific goal, such as system disruption or financial gain.
Overview
Selecting a campaign from the list in-product directs you to an overview where you can view further details of the campaign, listed in the following table:
| Overview Field | Description |
|---|---|
| Description | An overview of the activities of the threat actor attributed to this campaign. |
| Targeted Countries | The countries in which the campaign has been observed to be active. |
| Targeted Industries | The industries in which the campaign has been observed to be active. |
| TTPs | Tactics, techniques and procedures (TTPs) are the behaviours of the threat actors behind the campaign. |
| Associated Malware | Malware that has been observed to be used by the threat actors attributed to the campaign. |
| Threat Actors | The threat actors that have been attributed to the campaign. You can select a threat actor to open its overview in the Threat Actors module. |
| Related IDR Alerts | InsightIDR Alerts from the last 30 days that are related to the campaign. Clicking on the eye icon beside an IDR Alert will open the alert in InsightIDR. Clicking on the briefcase icon beside an IDR Alert will open the investigation (if it exists) in InsightIDR. |
| Related Articles | External articles and references containing information related to the campaign. Clicking on a related article from this list will open the external source link in a new tab on your browser. |
From the overview page, you can navigate through the tabs to view the following information associated with the campaign:
IOCs
The IOCs tab lists all of the IOCs (indicators of compromise) associated with the campaign. Each IOC has a type, a decay score and a date and time when the IOC was last updated.
You can use the filter to refine the IOCs list by type, and you can export the IOCs list to a downloadable CSV file.
Clicking on the briefcase icon under the Actions column will open the IOC in the Investigation module, which provides further enriched information.
What are IOCs?
What are IOCs?
Indicators of Compromise (IOCs) are pieces of evidence that suggest a system, network, or domain may have been breached or compromised by a cyberattack.
IOCs act as early warning signals, enabling organisations to detect, investigate, and respond to threats. However, IOCs are inherently volatile, as adversaries frequently modify or abandon them to evade detection, requiring continuous monitoring and intelligence updates to maintain their effectiveness.
What is a decay score?
What is a decay score?
Each IOC has a Decay Score, a dynamic model that measures the diminishing relevance of IOCs over time. This scoring reflects the reality that threat actors often abandon or rotate infrastructure after detection, exposure, or operational shifts. By applying a Decay Score, organizations can prioritize threat intelligence efforts by focusing on active, high-risk IOCs while deprecating outdated or less relevant ones.
When Rapid7 Labs identifies malicious IP addresses or URLs linked to threat actor campaigns, these indicators are initially assigned a high-confidence score, up to the maximum possible score of 100 for the highest-risk IOCs. Over a predefined period, typically 60 days, this score gradually decreases daily until it reaches 0, signifying that the indicator has transitioned from actively malicious to a status of historically malicious.
However, if renewed malicious activity involving the same indicator is detected during this decay period, the indicator’s Decay Score resets back to its initial high-confidence score, restarting the decay cycle.
Benefits of Decay Scores include:
- Reducing false positives by ensuring outdated IOCs do not linger indefinitely in active blocklists.
- Allowing security teams to prioritize fresh, relevant threats.
- Optimizing resource allocation by preventing unnecessary investigations into obsolete indicators.
CVEs
The CVEs listed here are associated with the campaign. Selecting a CVE from the list will open it in the Rapid7 AttackerKB feed in a new tab on your browser, where you can view further information on the CVE, such as descriptions and public references.
What are CVEs?
What are CVEs?
Common vulnerabilities and exposures (CVEs) are publicly known cybersecurity vulnerabilities.
Each CVE is assigned a standardized identifier which typically follows the format CVE-[year]-[identifier number], for example, CVE-2023-23397 (a Microsoft Outlook Elevation of Privilege vulnerability).
CVEs enable consistent communication and referencing of vulnerabilities, helping security teams track, assess, and remediate issues across different systems and software.
When a CVE appears in a threat actor profile or campaign, it indicates that the vulnerability has been observed or reported as exploited by the threat actor or leveraged in a malicious operation.
Registry Paths
The registry paths listed here were targeted by the threat actors behind the campaign.
What is a registry path?
What is a registry path?
A registry path is a specific location in the Windows Registry, which is a hierarchical database that stores system and application settings.
Threat actors commonly use registry paths to maintain persistence, store malicious configurations, or execute payloads. Similar to a file path, it defines where configuration data is stored and accessed by the Windows operating system and software to function properly. However, threat actors frequently abuse the Windows Registry for malicious purposes, such as establishing persistence, evading detection, or disabling security features. By modifying or creating registry keys, attackers can execute malware at startup, disable security tools, or manipulate system behavior to maintain access and control over a compromised system.
Scripts
The scripts listed here have been observed to be used with malicious intent by the threat actors behind the campaign. You can select a script to view the underlying code.
What is a script?
What is a script?
A script refers to a sequence of commands executed within a system’s command-line interface (CLI) or shell environment, often used by administrators or automated processes to perform routine or complex tasks. However, scripts are also frequently leveraged by threat actors to execute malicious actions such as persistence, lateral movement, reconnaissance, credential dumping, or command and control (C2) communication.
Scripts are key indicators of attacker activity, as they often reveal the specific tactics, techniques, and procedures (TTPs) used during an intrusion.
In cybersecurity analysis, suspicious or malicious scripts are identified by detecting specific command patterns, encoded payloads, suspicious arguments, or unexpected executions that deviate from normal administrative usage.
Examples:
Malicious PowerShell script used to download and execute remote payloads:
powershell.exe -nop -exec bypass -enc [encoded_payload]Suspicious command line to disable security features:
netsh advfirewall set allprofiles state off
Hunting Rules
The Hunting Rules listed here have been created by our Rapid7 Labs team to identify suspicious or malicious activity associated with the campaign.
Selecting a Hunting Rule opens the Hunting Rule Details where you can view the underlying rule logic.
What is a hunting rule?
What is a hunting rule?
Hunting rules are used to proactively identify suspicious or malicious activity in your environment, based on known patterns, behaviours, or indicators.
There are two types of hunting rule:
| Rule Name | Description | Example |
|---|---|---|
| Sigma Rules | A generic and open detection rule used for log-based detection and threat hunting by defining patterns in event logs, such as suspicious process executions or authentication anomalies. | A Sigma rule detects unusual PowerShell executions linked to credential dumping. |
| YARA Rules | Used for file and memory analysis, detecting malware, exploits, or artefacts based on byte sequences, hashes, or structural patterns. | A YARA rule scans a hard disk or memory for signatures of a known malware strain. |
Hunting rules enable proactive threat identification, TTP-based detection, and forensic investigations before an IOC-based alert is triggered.
Detection Rules
Within the Intelligence Hub, we display IDR Detection Rules specifically designed to detect IOCs, TTPs, and other malicious activities observed in threat actor campaigns. This proactive approach ensures you're protected against emerging threats identified by Rapid7’s security research teams. Only InsightIDR customers can view the Detection Rules.
What is a detection rule?
What is a detection rule?
Detection Rules are the logic InsightIDR uses to identify suspicious attacker activity and anomalous user behaviors within your environment. These rules continuously analyze activity data collected by InsightIDR, leveraging predefined conditions based on attacker TTPs, IOCs, or behavioral anomalies.
When the conditions defined by a detection rule are satisfied, InsightIDR triggers a detection event, alerting your security team to investigate promptly.
Note: Detection Rules are available exclusively to customers using both Intelligence Hub and InsightIDR.
For detailed reference and consistency, please visit the official documentation: InsightIDR Detection Rules.