Recurring Infection on Host

Recurring Infection on Host

Description

Looks for the same malware occurring multiple times on the same host.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Endpoint Compromise

Security Impact

If the same malware is detected repeatedly on a host, it could mean repeated attacks or an incomplete clean. Regardless, it is something that we should detect and remediate.

Alert Volume

Low

SPL Difficulty

Basic

Data Availability

Bad

Journey

Stage 1

MITRE ATT&CK Tactics

Initial Access
Execution

MITRE ATT&CK Techniques

Drive-by Compromise
Spearphishing Link
Spearphishing Attachment
User Execution
Phishing
Spearphishing Attachment
Spearphishing Link

MITRE Threat Groups

RTM
APT32
Elderwood
PLATINUM
Patchwork
Lazarus Group
Leafminer
Darkhotel
APT19
Turla
BRONZE BUTLER
Dragonfly 2.0
APT38
GOLD SOUTHFIELD
Windshift
Dragonfly
PROMETHIUM
Threat Group-3390
Dark Caracal
APT37

Kill Chain Phases

Delivery

Data Sources

Anti-Virus or Anti-Malware

   How to Implement

With Symantec Endpoint Protection logs onboard, these searches should work easily. If you have a different Anti-Virus product, they should be very easy to adapt to the field names and sourcetypes for that product -- particularly if you use a Splunk Add-on that maps them to the Common Information Model (search on Splunkbase!).

   Known False Positives

No known false positives at this time.

   How To Respond

When repeated infections on the same host, you should strive to understand how the system is being reinfected. If you can see behavior such as proxy logs indicating suspicious activities, or suspicious emails going through the spam filter, that might be an indication that the user needs some education or that your malware solution needs to be strengthened. If you can't determine the reason for the reinfection, consider the possibility that the host still had an infection from the first occurrence and it just reactivated other functionality that AV caught, particularly if you didn't wipe the host the first time around. If you didn't, the time is now.

   Help

Recurring Infection on Host Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Symantec Endpoint Protection logs (onboarded in accordance with our Data Onboarding Guides), during which someone does something bad. Our live search looks for the same behavior using the standardized sourcetypes for Symantec Endpoint Protection or the Common Information Model.

SPL for Recurring Infection on Host

Demo Data

First we bring in our basic demo dataset, Symantec Endpoint Protection Risks. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Next we use stats to calculate the distance between the earliest and latest time of an infection with the range() function. This will give us a number in seconds.
Then we filter for a range of greater than 30 minutes (so at least 30 minutes between infections).
Finally we do some formatting to provide usable numbers, so that no one has to calculate seconds to days.

Live Data

First we bring in our basic dataset, Symantec Endpoint Protection Risks, over the last thirty days.
Next we use stats to calculate the distance between the earliest and latest time of an infection with the range() function. This will give us a number in seconds.
Then we filter for a range of greater than 30 minutes (so at least 30 minutes between infections).
Finally we do some formatting to provide usable numbers, so that no one has to calculate seconds to days.

Accelerated Data

First we bring in our basic dataset, from the Malware datamodel, over the last thirty days.
We use tstats to calculate the distance between the earliest and latest time of an infection with the range() function. This will give us a number in seconds.
Then we filter for a range of greater than 30 minutes (so at least 30 minutes between infections).
Finally we do some formatting to provide usable numbers, so that no one has to calculate seconds to days.

Screenshot of Demo Data