Multiple Infections on Host

Description

Finds hosts that have logged multiple different infections in a short period of time.


Use Case

Security Monitoring

Category

Endpoint Compromise

Security Impact

Viruses happen, but multiple viruses at once are a greater concern, as it could indicate an exploit kit that tries several techniques where some might succeed, or just a host with multiple unrelated viruses. Those hosts should be prioritized and investigated immediately to see what else might not have been caught.

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Initial Access
Execution

MITRE ATT&CK Techniques

Drive-by Compromise
Spearphishing Attachment
Spearphishing Link
User Execution

MITRE Threat Groups

APT12
APT19
APT28
APT29
APT32
APT33
APT37
APT38
APT39
APT41
BRONZE BUTLER
Cobalt Group
Dark Caracal
DarkHydrus
Darkhotel
Dragonfly 2.0
Elderwood
FIN4
FIN7
FIN8
Gallmaker
Gorgon Group
Kimsuky
Lazarus Group
Leafminer
Leviathan
Machete
Magic Hound
MuddyWater
Night Dragon
OilRig
PLATINUM
Patchwork
Rancor
Silence
Stolen Pencil
TA459
TA505
The White Company
Threat Group-3390
Tropic Trooper
Turla
admin@338
menuPass

Kill Chain Phases

Delivery

Data Sources

Anti-Virus or Anti-Malware

   How to Implement

With Symantec logs onboard, these searches should work easily. If you have a different Anti-Virus product, they should be very easy to adapt to the field names and sourcetypes for that product -- particularly if you use a Splunk Add-on that maps them to the Common Information Model (search on Splunkbase!).

   Known False Positives

No known false positives.

   How To Respond

When multiple infections occur to the same host, your response plan should be the same as any malware event, just with greater urgency.

   Help

Multiple Infections on Host Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Symantec Endpoint Protection logs (onboarded in accordance with our Data Onboarding Guides), during which someone does something bad. Our live search looks for the same behavior using the standardized sourcetypes for Symantec Endpoint Protection or the Common Information Model.

SPL for Multiple Infections on Host

Demo Data

First we bring in our basic demo dataset, Symantec Endpoint Protection Risks. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
While there are several approaches to grouping events, and stats is the fastest, we're using transaction because it's the easiest. This will let us group all the events based on the Computer_Name.
Finally we can filter for if there are at least three events and they spanned at least a few minutes.

Live Data

First we bring in our basic dataset, Symantec Endpoint Protection Risks, over the last 24 hours.
While there are several approaches to grouping events, and stats is the fastest, we're using transaction because it's the easiest. This will let us group all the events based on the Computer_Name.
Finally we can filter for if there are at least three events and they spanned at least a few minutes.

Accelerated Data

First we bring in our accelerated Malware Data Model, grouped by the host and minute.
We then simplify field names by stripping the data model name from the start of each.
Next we use the transaction command to group together multiple events for the same host. Why transaction? Because it's simple and we will have a very small dataset.
Finally we filter for where there are at least three different events spanning at least four minutes.

Screenshot of Demo Data