"Suspicious Process - APT29 Related Binary Executed" Investigation

We had an investigation opened with this finding for MS Word (WinWord.exe) started via explorer.exe. Can someone shed some light on “Suspicious Process - APT29 Related Binary Executed”?


If you navigate to the “Detection Rules” section, you can search for all detections available to you.

This particular alert is based on a threat feed from Thread Command, where an alert fires if there is a file being executed whose hash is included in the Threat Command Threat Library.

He reinstalled Windows yesterday using the Windows recovery option. The tool downloaded all of the necessary files for a clean install. When it was done, he reinstalled the Rapid7 agent and it wasn’t long after that it was flagged again.