Campaigns
The Campaigns page displays a centralized list of all known campaigns. You can use the filters to refine the list results to a specific targeted region, targeted industry, or threat actor type.
What is a campaign?
A campaign is a planned sequence of malicious actions executed by a threat actor over time to accomplish a specific goal, such as system disruption or financial gain.
Overview
Select a campaign to go to an overview and view further details, listed in this table:
| Overview Field | Description |
|---|---|
| Description | An overview of the activities of the threat actor attributed to this campaign. |
| Targeted Countries | The countries in which the campaign has been observed to be active. |
| Targeted Industries | The industries in which the campaign has been observed to be active. |
| TTPs | Tactics, techniques and procedures (TTPs) are the behaviours of the threat actors behind the campaign. |
| Associated Malware | Malware that has been observed to be used by the threat actors attributed to the campaign. |
| Threat Actors | The threat actors that have been attributed to the campaign. You can select a threat actor to open its overview in the Threat Actors module. |
| Related SIEM Alerts | SIEM (InsightIDR) Alerts from the last 30 days that are related to the campaign. Selecting the eye icon to open the alert in SIEM (InsightIDR). Select the briefcase icon to open the investigation (if it exists) in SIEM (InsightIDR). |
| Related Articles | External articles and references containing information related to the campaign. Clicking on a related article from this list will open the external source link in a new tab on your browser. |
IOCs
The IOCs tab lists all indicators of compromise (IOCs) associated with the campaign. The table displays each IOC’s type, decay score, and the date and time it was last updated.
What are IOCs?
Indicators of Compromise (IOCs) are pieces of evidence that suggest a system, network, or domain may have been breached or compromised by a cyberattack.
IOCs act as early warning signals, enabling organisations to detect, investigate, and respond to threats. However, IOCs are inherently volatile, as adversaries frequently modify or abandon them to evade detection, requiring continuous monitoring and intelligence updates to maintain their effectiveness.
What is a decay score?
Each IOC has a decay score, a dynamic model that measures the diminishing relevance of IOCs over time. This scoring reflects the reality that threat actors often abandon or rotate infrastructure after detection, exposure, or operational shifts. By applying a decay score, organizations can prioritize threat intelligence efforts by focusing on active, high-risk IOCs while deprecating outdated or less relevant ones.
When Rapid7 Labs identifies malicious IP addresses or URLs linked to threat actor campaigns, these indicators are initially assigned a high-confidence score, up to the maximum possible score of 100 for the highest-risk IOCs. Over a predefined period, typically 60 days, this score gradually decreases daily until it reaches 0, signifying that the indicator has transitioned from actively malicious to a status of historically malicious.
However, if renewed malicious activity involving the same indicator is detected during this decay period, the indicator’s decay score resets back to its initial high-confidence score, restarting the decay cycle.
Benefits of decay scores include:
- Reducing false positives by ensuring outdated IOCs do not linger indefinitely in active blocklists.
- Allowing security teams to prioritize fresh, relevant threats.
- Optimizing resource allocation by preventing unnecessary investigations into obsolete indicators.
To filter the IOCs list:
- In the IOCs tab, select the Filter dropdown.
- Select one or more IOC types to refine the list.
The table updates to show only IOCs that match your selected types.
To export the IOCs list:
- In the IOCs tab, select Export CSV.
A CSV file containing the current IOCs list downloads to your browser’s default download location.
To open an IOC in Investigations:
- In the IOCs table, locate the IOC you want to investigate.
- Under the Actions column, select the briefcase icon.
The IOC opens in Threat Investigations, where you can access further enriched information about the indicator.
Search Logs for Campaign IOCs
The Search logs for IOCs dropdown lets you pivot directly from a campaign profile into SIEM (InsightIDR) Log Search , with a query pre-built from the campaign’s curated IOCs. This lets you quickly check whether any campaign-related indicators have appeared in your environment, without having to build a query from scratch.
This feature is available to customers using both Threat Intelligence (Intelligence Hub) and SIEM (InsightIDR).
To search your logs for campaign IOCs:
- From the campaign overview page, select the Search logs for IOCs dropdown.
- Select an IOC type from the list:
- Domain
- Hostname
- IP
- MD5
- SHA1
- SHA256
- URL
- SIEM (InsightIDR) Log Search opens in a new browser tab, pre-populated with a query built from the campaign’s IOCs for the selected type.
The query opens with these default filters applied:
| Filter | Default Value |
|---|---|
| IOC decay score | ≥ 30 |
| IOC last updated | ≤ 60 days ago |
| Informational IOCs | Excluded |
These defaults focus the search on active, high-confidence indicators while filtering out IOCs that are likely stale or originate from commonly misused legitimate infrastructure. You can modify any of these filters directly in Log Search before running or saving the query.
Informational IOCs
To help you make informed decisions about potential threats, some associated IOCs are tagged as Informational. This tag identifies IOCs that are of trusted origin but have been exploited for malicious purposes, such as IP addresses, domains, or hashes. These IOCs may appear anomalous but are commonly used by essential services or business-critical infrastructure. Blocking these IOCs without understanding their context could disrupt key operations or third-party services in your environment.
The Informational tag allows you to:
- Identify legitimate but misused IOCs that are associated with services like public CDNs, mail relays, or cloud-based applications.
- Exclude or filter these IOCs from blocklists or active responses to prevent unintended service outages.
- Prioritize IOCs that represent true threats to your environment.
Integrations May Require IOC Rule Adjustments
“If you’re integrating Threat Intelligence data with detection or enforcement tools
Use Case Example
When reviewing a list of IOCs, you may encounter domains such as smtp.office365.com, or public IPs associated with well-known content delivery networks (CDNs). These may be tagged as Informational to flag their potential misuse without implying a need for immediate containment.
- Use the Informational tag as a filter to quickly isolate or exclude these IOCs.
- Incorporate the tag into your review workflow to avoid false positives and ensure legitimate traffic is not unintentionally disrupted.
- Reference this tag during incident triage to focus investigation and remediation efforts on confirmed malicious threats.
CVEs
The CVEs listed here are associated with the campaign. Selecting a CVE from the list will open it in the Rapid7 AttackerKB feed in a new tab on your browser, where you can view further information on the CVE, such as descriptions and public references.
What are CVEs?
Common vulnerabilities and exposures (CVEs) are publicly known cybersecurity vulnerabilities.
Each CVE is assigned a standardized identifier which typically follows the format CVE-[year]-[identifier number], for example, CVE-2023-23397 (a Microsoft Outlook Elevation of Privilege vulnerability).
CVEs enable consistent communication and referencing of vulnerabilities, helping security teams track, assess, and remediate issues across different systems and software.
When a CVE appears in a threat actor or campaign profile, it indicates that the vulnerability has been observed or reported as exploited by the threat actor or leveraged in a malicious operation.
Registry Paths
The registry paths listed here were targeted by the threat actors behind the campaign.
What is a registry path?
A registry path is a specific location in the Windows Registry, which is a hierarchical database that stores system and application settings.
Threat actors commonly use registry paths to maintain persistence, store malicious configurations, or execute payloads. Similar to a file path, it defines where configuration data is stored and accessed by the Windows operating system and software to function properly. However, threat actors frequently abuse the Windows Registry for malicious purposes, such as establishing persistence, evading detection, or disabling security features. By modifying or creating registry keys, attackers can execute malware at startup, disable security tools, or manipulate system behavior to maintain access and control over a compromised system.
Scripts
The scripts listed here have been observed to be used with malicious intent by the threat actors behind the campaign. You can select a script to view the underlying code.
What is a script?
A script refers to a sequence of commands executed within a system’s command-line interface (CLI) or shell environment, often used by administrators or automated processes to perform routine or complex tasks. However, scripts are also frequently leveraged by threat actors to execute malicious actions such as persistence, lateral movement, reconnaissance, credential dumping, or command and control (C2) communication.
Scripts are key indicators of attacker activity, as they often reveal the specific tactics, techniques, and procedures (TTPs) used during an intrusion.
In cybersecurity analysis, suspicious or malicious scripts are identified by detecting specific command patterns, encoded payloads, suspicious arguments, or unexpected executions that deviate from normal administrative usage.
Examples:
-
Malicious PowerShell script used to download and execute remote payloads:
powershell.exe -nop -exec bypass -enc [encoded_payload] -
Suspicious command line to disable security features:
netsh advfirewall set allprofiles state off
Hunting Rules
The Hunting Rules listed here have been created by our Rapid7 Labs team to identify suspicious or malicious activity associated with the campaign.
Selecting a Hunting Rule opens the Hunting Rule Details where you can view the underlying rule logic.
What is a hunting rule?
Hunting rules are used to proactively identify suspicious or malicious activity in your environment, based on known patterns, behaviours, or indicators.
There are two types of hunting rule:
| Rule Name | Description | Example |
|---|---|---|
| Sigma Rules | A generic and open detection rule used for log-based detection and threat hunting by defining patterns in event logs, such as suspicious process executions or authentication anomalies. | A Sigma rule detects unusual PowerShell executions linked to credential dumping. |
| YARA Rules | Used for file and memory analysis, detecting malware, exploits, or artefacts based on byte sequences, hashes, or structural patterns. | A YARA rule scans a hard disk or memory for signatures of a known malware strain. |
Hunting rules enable proactive threat identification, TTP-based detection, and forensic investigations before an IOC-based alert is triggered.
Detection Rules
Within Threat Intelligence (Intelligence Hub), we display SIEM (InsightIDR) Detection Rules specifically designed to detect IOCs, TTPs, and other malicious activities observed in threat actor campaigns. This proactive approach ensures you’re protected against emerging threats identified by Rapid7’s security research teams. Only SIEM (InsightIDR) customers can view the Detection Rules.
What is a detection rule?
Detection Rules are the logic SIEM (InsightIDR) uses to identify suspicious attacker activity and anomalous user behaviors within your environment. These rules continuously analyze activity data collected by SIEM (InsightIDR), leveraging predefined conditions based on attacker TTPs, IOCs, or behavioral anomalies.
When the conditions defined by a detection rule are satisfied, SIEM (InsightIDR) triggers a detection event, alerting your security team to investigate promptly.
Note: Detection Rules are available exclusively to customers using both Threat Intelligence (Intelligence Hub) and SIEM (InsightIDR).
For detailed reference and consistency, please visit the official documentation: SIEM (InsightIDR) Detection Rules .