Basic Malware Outbreak

Description

Looks for the same malware occurring on multiple systems in a short period of time.


Use Case

Security Monitoring

Category

Endpoint Compromise

Security Impact

When the same malware occurs on multiple systems, you may be on the brink of a major incident as has been seen frequently with worms, ransomware, and broad phishing campaigns. Find out about these before they become a big deal!

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Initial Access
Execution
Privilege Escalation

MITRE ATT&CK Techniques

Drive-by Compromise
Spearphishing Attachment
Spearphishing Link
User Execution
Exploitation for Privilege Escalation

MITRE Threat Groups

APT12
APT19
APT28
APT29
APT32
APT33
APT37
APT38
APT39
APT41
BRONZE BUTLER
Cobalt Group
Dark Caracal
DarkHydrus
Darkhotel
Dragonfly 2.0
Elderwood
FIN4
FIN6
FIN7
FIN8
Gallmaker
Gorgon Group
Kimsuky
Lazarus Group
Leafminer
Leviathan
Machete
Magic Hound
MuddyWater
Night Dragon
OilRig
PLATINUM
Patchwork
Rancor
Silence
Stolen Pencil
TA459
TA505
The White Company
Threat Group-3390
Tropic Trooper
Turla
admin@338
menuPass

Kill Chain Phases

Delivery

Data Sources

Anti-Virus or Anti-Malware

   How to Implement

With Symantec Endpoint Protection logs onboard, these searches should work easily. If you have a different Anti-Virus product, they should be very easy to adapt to the field names and sourcetypes for that product -- particularly if you use a Splunk Add-on that maps them to the Common Information Model (search on Splunkbase!).

   Known False Positives

No known false positives at this time.

   How To Respond

When you see the same malware occurring on multiple systems, the most important thing to understand is how the malware is spreading, so that you can stop the spread. For example, WannaCry spreading via unpatched SMB vulnerabilities would require a network or patching response, a phishing campaign would require that you remove those messages from mailboxes and perform filtering, a drive by download response would require an entirely different set of actions. Additionally, perform all standard malware incident response actions, such as updating definitions, reimaging systems, etc.

   Help

Basic Malware Outbreak Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Symantec Endpoint Protection logs (onboarded in accordance with our Data Onboarding Guides), during which someone does something bad. Our live search looks for the same behavior using the standardized sourcetypes for Symantec Endpoint Protection or the Common Information Model.

SPL for Basic Malware Outbreak

Demo Data

First we bring in our basic demo dataset, Symantec Endpoint Protection Risks. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
While there are several approaches to grouping events, and stats is the fastest, we're using transaction because it's the easiest. This will let us group all the events based on the Risk_Name.
Finally, we can look to see if there are more than three different computers that have been affected.

Live Data

First we bring in our basic dataset, Symantec Endpoint Protection Risks, over the last 24 hours.
While there are several approaches to grouping events, and stats is the fastest, we're using transaction because it's the easiest. This will let us group all the events based on the Risk_Name.
Finally, we can look to see if there are more than three different computers that have been affected.

Accelerated Data

Here we are using the Common Information Model created data model, with the tstats command, to allow us to retrieve super-fast summarized data.
Then we can look to see if there are more than three different computers that have been affected.

Screenshot of Demo Data