Endpoint Uncleaned Malware Detection

Description

Detect a system with a malware detection that was not properly cleaned, as they carry a high risk of damage or disclosure of data.


Use Case

Security Monitoring, Compliance

Category

GDPR, Endpoint Compromise

Security Impact

For all the environments, uncleaned malware means that there is still malware located in your environment. For environments that are handling GDPR, article 32 requires that you regularly test, assess and evaluate the effectiveness of your implemented technical and organizational security controls. If the Authority executes their powers and your Organization is in the scope of a Privacy Audit you need to demonstrate compliance (Article 58). Also in case you face a breach and individuals are impacted they have the right to compensation of the damage - if an organization can prove that they have done everything appropriate to the risk and deployed proper countermeasures, they shouldn't be liable (Article 82). Clearing out viruses can be considered in most cases as appropriate and your organization should be able to prove compliance.

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Execution
Initial Access

MITRE ATT&CK Techniques

User Execution
Drive-by Compromise
Spearphishing Attachment
Spearphishing Link

MITRE Threat Groups

APT12
APT19
APT28
APT29
APT32
APT33
APT37
APT38
APT39
APT41
BRONZE BUTLER
Cobalt Group
Dark Caracal
DarkHydrus
Darkhotel
Dragonfly 2.0
Elderwood
FIN4
FIN7
FIN8
Gallmaker
Gorgon Group
Kimsuky
Lazarus Group
Leafminer
Leviathan
Machete
Magic Hound
MuddyWater
Night Dragon
OilRig
PLATINUM
Patchwork
Rancor
Silence
Stolen Pencil
TA459
TA505
The White Company
Threat Group-3390
Tropic Trooper
Turla
admin@338
menuPass

Data Sources

Anti-Virus or Anti-Malware

   GDPR Relevance

Problem

Despite initial detection from traditional anti-malware tools, malware often persists undetected on endpoints. This can occur when malware uses evasive techniques to spread to other endpoints without triggering an alert, or if an infection or re-infection occurs due to incomplete remediation or a response that does not address the root of the infection.

Impact

Uncleaned malware puts digital systems at risk. For any environments/systems that are involved in processing personal data, this situation can be critical, and especially so in a GDPR context. Article 32 of the GDPR requires that organizations regularly test, assess and evaluate effectiveness of implemented technical and organizational security controls. In the event that a Supervisory Authority executes powers to place an organization within the scope of a privacy audit, the organization must demonstrate compliance (Article 58). If the organization faces a personal data breach and individuals are impacted, those individuals have the right to demand compensation for material and non-material damage caused by the breach. The organization must prove that they have understood and addressed the risk appropriately and deployed proper countermeasures (Article 82).

Resolution Path

Removing malware infections that antivirus and other legacy endpoint protection software cannot remove (whether due to file permissions or other configurations that prevents easy quarantine or cleaning) can be considered in many cases appropriate, and helps to demonstrate compliance

.

   How to Implement

With Anti-Malware logs onboard, these searches should work easily, particularly if you use a Splunk Add-on that maps the logs to the Common Information Model (search on Splunkbase!).

   Known False Positives

No known false positives at this time.

   How To Respond

When this occurs, you should begin a standard incident response process on this host.

   Help

Endpoint Uncleaned Malware Detection Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Symantec Endpoint Protection logs (onboarded in accordance with our Data Onboarding Guides), during which a virus is not cleaned. Our live search looks for the same behavior using the standardized sourcetypes for Symantec Endpoint Protection or the Common Information Model.

SPL for Endpoint Uncleaned Malware Detection

Demo Data

First we bring in our basic demo dataset. In this case, we are using risk events from Symantec Endpoint Protection. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
To detect uncleaned Malware, we look for where the action taken is not the primary or secondary action expected.
Finally we put everything in a nice and usable table!

Live Data

First we bring in our basic dataset. In this case, we are using risk events from Symantec Endpoint Protection.
To detect uncleaned Malware, we look for where the action taken is not the primary or secondary action expected.
Finally we put everything in a nice and usable table!

Screenshot of Demo Data