Recurring Infection on Host

Description

Looks for the same malware occurring multiple times on the same host.


Use Case

Security Monitoring

Category

Endpoint Compromise

Security Impact

If the same malware is detected repeatedly on a host, it could mean repeated attacks or an incomplete clean. Regardless, it is something that we should detect and remediate.

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Initial Access
Execution

MITRE ATT&CK Techniques

Drive-by Compromise
Spearphishing Link
Spearphishing Attachment
User Execution

MITRE Threat Groups

APT12
APT19
APT28
APT29
APT32
APT33
APT37
APT38
APT39
APT41
BRONZE BUTLER
Cobalt Group
Dark Caracal
DarkHydrus
Darkhotel
Dragonfly 2.0
Elderwood
FIN4
FIN7
FIN8
Gallmaker
Gorgon Group
Kimsuky
Lazarus Group
Leafminer
Leviathan
Machete
Magic Hound
MuddyWater
Night Dragon
OilRig
PLATINUM
Patchwork
Rancor
Silence
Stolen Pencil
TA459
TA505
The White Company
Threat Group-3390
Tropic Trooper
Turla
admin@338
menuPass

Kill Chain Phases

Delivery

Data Sources

Anti-Virus or Anti-Malware

   How to Implement

With Symantec Endpoint Protection logs onboard, these searches should work easily. If you have a different Anti-Virus product, they should be very easy to adapt to the field names and sourcetypes for that product -- particularly if you use a Splunk Add-on that maps them to the Common Information Model (search on Splunkbase!).

   Known False Positives

No known false positives at this time.

   How To Respond

When repeated infections on the same host, you should strive to understand how the system is being reinfected. If you can see behavior such as proxy logs indicating suspicious activities, or suspicious emails going through the spam filter, that might be an indication that the user needs some education or that your malware solution needs to be strengthened. If you can't determine the reason for the reinfection, consider the possibility that the host still had an infection from the first occurrence and it just reactivated other functionality that AV caught, particularly if you didn't wipe the host the first time around. If you didn't, the time is now.

   Help

Recurring Infection on Host Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Symantec Endpoint Protection logs (onboarded in accordance with our Data Onboarding Guides), during which someone does something bad. Our live search looks for the same behavior using the standardized sourcetypes for Symantec Endpoint Protection or the Common Information Model.

SPL for Recurring Infection on Host

Demo Data

First we bring in our basic demo dataset, Symantec Endpoint Protection Risks. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Next we use stats to calculate the distance between the earliest and latest time of an infection with the range() function. This will give us a number in seconds.
Then we filter for a range of greater than 30 minutes (so at least 30 minutes between infections).
Finally we do some formatting to provide usable numbers, so that no one has to calculate seconds to days.

Live Data

First we bring in our basic dataset, Symantec Endpoint Protection Risks, over the last thirty days.
Next we use stats to calculate the distance between the earliest and latest time of an infection with the range() function. This will give us a number in seconds.
Then we filter for a range of greater than 30 minutes (so at least 30 minutes between infections).
Finally we do some formatting to provide usable numbers, so that no one has to calculate seconds to days.

Screenshot of Demo Data