Multiple Infections on Host

Multiple Infections on Host

Description

Finds hosts that have logged multiple different infections in a short period of time.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Endpoint Compromise

Security Impact

Viruses happen, but multiple viruses at once are a greater concern, as it could indicate an exploit kit that tries several techniques where some might succeed, or just a host with multiple unrelated viruses. Those hosts should be prioritized and investigated immediately to see what else might not have been caught.

Alert Volume

Low

SPL Difficulty

Basic

Data Availability

Bad

Journey

Stage 1

MITRE ATT&CK Tactics

Initial Access
Execution

MITRE ATT&CK Techniques

Drive-by Compromise
Spearphishing Attachment
Spearphishing Link
User Execution
Phishing
Spearphishing Attachment
Spearphishing Link

MITRE Threat Groups

RTM
APT32
Elderwood
PLATINUM
Patchwork
Lazarus Group
Leafminer
Darkhotel
APT19
Turla
BRONZE BUTLER
Dragonfly 2.0
APT38
GOLD SOUTHFIELD
Windshift
Dragonfly
PROMETHIUM
Threat Group-3390
Dark Caracal
APT37

Kill Chain Phases

Delivery

Data Sources

Anti-Virus or Anti-Malware

   How to Implement

With Symantec logs onboard, these searches should work easily. If you have a different Anti-Virus product, they should be very easy to adapt to the field names and sourcetypes for that product -- particularly if you use a Splunk Add-on that maps them to the Common Information Model (search on Splunkbase!).

   Known False Positives

No known false positives.

   How To Respond

When multiple infections occur to the same host, your response plan should be the same as any malware event, just with greater urgency.

   Help

Multiple Infections on Host Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Symantec Endpoint Protection logs (onboarded in accordance with our Data Onboarding Guides), during which someone does something bad. Our live search looks for the same behavior using the standardized sourcetypes for Symantec Endpoint Protection or the Common Information Model.

SPL for Multiple Infections on Host

Demo Data

First we bring in our basic demo dataset, Symantec Endpoint Protection Risks. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
While there are several approaches to grouping events, and stats is the fastest, we're using transaction because it's the easiest. This will let us group all the events based on the Computer_Name.
Finally we can filter for if there are at least three events and they spanned at least a few minutes.

Live Data

First we bring in our basic dataset, Symantec Endpoint Protection Risks, over the last 24 hours.
While there are several approaches to grouping events, and stats is the fastest, we're using transaction because it's the easiest. This will let us group all the events based on the Computer_Name.
We can filter for if there are at least three events and they spanned at least a few minutes.
Finally, we can put things in a table to make it easy to use.

Accelerated Data

First we bring in our accelerated Malware Data Model, grouped by the host and minute.
We then simplify field names by stripping the data model name from the start of each.
Next we use the transaction command to group together multiple events for the same host. Why transaction? Because it's simple and we will have a very small dataset.
Finally we filter for where there are at least three different events spanning at least four minutes.

Screenshot of Demo Data