Potential Widespread Malware Infection Across Multiple Hosts
This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to prioritize triage and response, as this can potentially indicate a widespread malware infection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/05/08"
3maturity = "production"
4updated_date = "2025/01/15"
5min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully"
6min_stack_version = "8.13.0"
7
8[rule]
9author = ["Elastic"]
10description = """
11This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this
12to prioritize triage and response, as this can potentially indicate a widespread malware infection.
13"""
14from = "now-9m"
15language = "esql"
16license = "Elastic License v2"
17name = "Potential Widespread Malware Infection Across Multiple Hosts"
18references = [
19 "https://github.com/elastic/protections-artifacts/tree/main/yara/rules"
20]
21risk_score = 73
22rule_id = "28371aa1-14ed-46cf-ab5b-2fc7d1942278"
23severity = "high"
24tags = [
25 "Domain: Endpoint",
26 "Data Source: Elastic Defend",
27 "Use Case: Threat Detection",
28 "Tactic: Execution",
29 "Rule Type: Higher-Order Rule",
30 "Resources: Investigation Guide"
31]
32timestamp_override = "event.ingested"
33type = "esql"
34
35query = '''
36from logs-endpoint.alerts-*
37| where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null
38| keep host.id, rule.name, event.code
39| stats hosts = count_distinct(host.id) by rule.name, event.code
40| where hosts >= 3
41'''
42note = """## Triage and analysis
43
44> **Disclaimer**:
45> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
46
47### Investigating Potential Widespread Malware Infection Across Multiple Hosts
48
49Endpoint security technologies monitor and analyze activities on devices to detect malicious behavior. Adversaries exploit these systems by deploying malware that triggers specific signatures across multiple hosts, indicating a coordinated attack. The detection rule identifies such threats by analyzing alert data for specific malware signatures across several hosts, flagging potential widespread infections for prioritized investigation.
50
51### Possible investigation steps
52
53- Review the alert details to identify the specific rule.name and event.code that triggered the alert, focusing on those with a high count of distinct host.id values.
54- Correlate the identified rule.name with known malware signatures or recent threat intelligence reports to understand the potential impact and behavior of the malware.
55- Examine the affected host.id entries to determine if there are any commonalities, such as shared network segments, user accounts, or software versions, that could indicate the initial infection vector.
56- Investigate the timeline of events for each affected host to identify any suspicious activities or anomalies preceding the alert, such as unusual file downloads or execution of unknown processes.
57- Check for any additional alerts or logs related to the same host.id entries to assess if there are other indicators of compromise or related malicious activities.
58- Coordinate with IT and security teams to isolate affected hosts if necessary, and initiate containment and remediation procedures based on the findings.
59
60### False positive analysis
61
62- Legitimate software updates or installations may trigger malware signatures, especially if they involve new or uncommon software. Users can create exceptions for known software update processes to prevent these alerts from being flagged as potential threats.
63- Security testing tools or penetration testing activities might mimic malware behavior, leading to false positives. Analysts should coordinate with IT and security teams to whitelist these activities during scheduled tests.
64- Custom scripts or administrative tools that perform automated tasks across multiple hosts can be mistaken for malicious activity. Identifying and excluding these scripts from the rule can reduce unnecessary alerts.
65- Frequent use of remote management tools that execute scripts or commands on multiple hosts may trigger alerts. Users should ensure these tools are recognized and excluded from the rule to avoid false positives.
66- Known benign applications that use shellcode or memory manipulation techniques for legitimate purposes should be reviewed and added to an exception list to prevent them from being flagged.
67
68### Response and remediation
69
70- Isolate affected hosts immediately to prevent further spread of the malware across the network. This can be done by disconnecting them from the network or using network segmentation techniques.
71- Conduct a thorough scan of the isolated hosts using updated antivirus or endpoint detection and response (EDR) tools to identify and remove the malicious files or processes associated with the detected signatures.
72- Analyze the identified malware to understand its behavior and entry points. This will help in determining if additional hosts may be compromised and require similar remediation actions.
73- Apply security patches and updates to all affected systems to close any vulnerabilities that the malware may have exploited.
74- Restore affected systems from clean backups if the malware has caused significant damage or if the integrity of the system cannot be assured after cleaning.
75- Monitor network traffic and endpoint activities closely for any signs of persistence or re-infection, using enhanced detection rules and updated threat intelligence feeds.
76- Escalate the incident to the appropriate internal or external cybersecurity teams if the infection appears to be part of a larger coordinated attack, ensuring that all relevant data and findings are shared for further investigation and response."""
77
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81[[rule.threat.technique]]
82id = "T1204"
83name = "User Execution"
84reference = "https://attack.mitre.org/techniques/T1204/"
85[[rule.threat.technique.subtechnique]]
86id = "T1204.002"
87name = "Malicious File"
88reference = "https://attack.mitre.org/techniques/T1204/002/"
89
90
91
92[rule.threat.tactic]
93id = "TA0002"
94name = "Execution"
95reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Widespread Malware Infection Across Multiple Hosts
Endpoint security technologies monitor and analyze activities on devices to detect malicious behavior. Adversaries exploit these systems by deploying malware that triggers specific signatures across multiple hosts, indicating a coordinated attack. The detection rule identifies such threats by analyzing alert data for specific malware signatures across several hosts, flagging potential widespread infections for prioritized investigation.
Possible investigation steps
- Review the alert details to identify the specific rule.name and event.code that triggered the alert, focusing on those with a high count of distinct host.id values.
- Correlate the identified rule.name with known malware signatures or recent threat intelligence reports to understand the potential impact and behavior of the malware.
- Examine the affected host.id entries to determine if there are any commonalities, such as shared network segments, user accounts, or software versions, that could indicate the initial infection vector.
- Investigate the timeline of events for each affected host to identify any suspicious activities or anomalies preceding the alert, such as unusual file downloads or execution of unknown processes.
- Check for any additional alerts or logs related to the same host.id entries to assess if there are other indicators of compromise or related malicious activities.
- Coordinate with IT and security teams to isolate affected hosts if necessary, and initiate containment and remediation procedures based on the findings.
False positive analysis
- Legitimate software updates or installations may trigger malware signatures, especially if they involve new or uncommon software. Users can create exceptions for known software update processes to prevent these alerts from being flagged as potential threats.
- Security testing tools or penetration testing activities might mimic malware behavior, leading to false positives. Analysts should coordinate with IT and security teams to whitelist these activities during scheduled tests.
- Custom scripts or administrative tools that perform automated tasks across multiple hosts can be mistaken for malicious activity. Identifying and excluding these scripts from the rule can reduce unnecessary alerts.
- Frequent use of remote management tools that execute scripts or commands on multiple hosts may trigger alerts. Users should ensure these tools are recognized and excluded from the rule to avoid false positives.
- Known benign applications that use shellcode or memory manipulation techniques for legitimate purposes should be reviewed and added to an exception list to prevent them from being flagged.
Response and remediation
- Isolate affected hosts immediately to prevent further spread of the malware across the network. This can be done by disconnecting them from the network or using network segmentation techniques.
- Conduct a thorough scan of the isolated hosts using updated antivirus or endpoint detection and response (EDR) tools to identify and remove the malicious files or processes associated with the detected signatures.
- Analyze the identified malware to understand its behavior and entry points. This will help in determining if additional hosts may be compromised and require similar remediation actions.
- Apply security patches and updates to all affected systems to close any vulnerabilities that the malware may have exploited.
- Restore affected systems from clean backups if the malware has caused significant damage or if the integrity of the system cannot be assured after cleaning.
- Monitor network traffic and endpoint activities closely for any signs of persistence or re-infection, using enhanced detection rules and updated threat intelligence feeds.
- Escalate the incident to the appropriate internal or external cybersecurity teams if the infection appears to be part of a larger coordinated attack, ensuring that all relevant data and findings are shared for further investigation and response.
References
Related rules
- AWS SSM `SendCommand` with Run Shell Command Parameters
- Apple Script Execution followed by Network Connection
- Apple Scripting Execution with Administrator Privileges
- At Job Created or Modified
- BPF filter applied using TC