Use DNS data to identify malware patient zero
Malware outbreaks can cripple an organization's computer systems. Quickly identifying "patient zero" allows you to readily contain a malware outbreak, eliminate the malware from that machine while preventing reinfection, and learn more about the application and/or files that delivered the malware. This use case walks you through using Splunk Enterprise Security and DNS (domain name system) data to identify patient zero in a malware outbreak in your environment.
This use case relies on the following data sources, ingested into the Splunk platform in compliance with the Splunk Common Information Model:
- Asset information in the asset lookup. See Add asset and identity data to Splunk Enterprise Security in Administer Splunk Enterprise Security.
- Endpoint anti-malware logs normalized to the Malware CIM data model. For example, Trend Micro OfficeScan server data, which can be added to Splunk Enterprise Security using TA-trendmicro, included with ES. See Install and deploy add-ons in the Installation and Upgrade Manual.
- DNS lookup data normalized to the Network Resolution CIM data model. For example, DNS queries collected by Splunk Stream. See Install and deploy add-ons in the Installation and Upgrade Manual for details on integrating Enterprise Security with Splunk Stream.
- Web surfing activity logs normalized to the Proxy object of the Web CIM data model.
Assess the current state of security incidents
Review notable events identified by Splunk Enterprise Security to see the current state of threats in your environment.
- Log in to Splunk Enterprise Security and view the Incident Review dashboard.
- Filter the notable events by urgency, viewing only the High and Critical events in the Endpoint security domain.
- Choose one of the High or Critical Host With Malware Detected events to investigate.
- Open the event details. The malware Signature is TSPY_FAKEMS.C, a virus definition from TrendMicro.
- Perform a Notable Event Search on the signature using the field actions.
The notable event search opens Incident Review scoped to events with the TSPY_FAKEMS.C malware signature. One of the events notes an Outbreak Detected Of TSPY_FAKEMS.C. That event is created when more than 10 hosts have a malware infection from that signature.
- After identifying the outbreak, open an investigation to share with other analysts. Select the relevant notable events and click Add to Investigation.
- Name the investigation something like Malware outbreak of TSPY_FAKEMS.C and add other analysts as collaborators so they can see your investigation progress.
- The tier one analysts begin cleaning up the malware outbreak.
- Assign the notable event for an infected host to a tier one analyst.
- The tier one analyst takes a forensic image of the hard drive, then has the machine reimaged.
- As the cleanup progresses, the tier one analyst updates the notable event statuses accordingly.
- The tier two analyst continues investigating the malware outbreak in depth.
Perform external research on the malware signature
External research can help you determine additional indicators of compromise specific to this malware signature, or learn about aliases and threat groups associated with the malware.
- The tier two analyst investigates and discovers that the malware signature TSPY_FAKEMS.C is an alias for another malware signature that Microsoft identifies as Trojan:Win32/Foosace.J!dha.
- Further research on the Win32/Foosace malware shows that it is associated with an advanced adversary identified by Microsoft as STRONTIUM.
- You determine that the STRONTIUM group is known to use the
softupdates.infodomains for command and control operations.
- Investigate those domains to see if they appear in your environment.
Investigate the outbreak further with DNS data
Look for DNS requests to the command and control domains. Hunters often use the DNS dashboards included in Enterprise Security "Protocol Intelligence" for this purpose.
- Select Advanced Threat > Protocol Intelligence > DNS Search.
- Type the wildcard domain
*malwarecheck.infoin the Query filter.
- Select a time range of Last 30 days.
- Click Submit to search.
- The search results show DNS requests for the domain
- Open Search and run the following search to determine if DNS queries for
malwarecheck.infoare correlated with the malware outbreak.
tag=dns query=malwarecheck.info [search tag=malware tag=attack signature="TSPY_FAKEMS.C" | eval src=dest | fields src]
The search results confirm that endpoint hosts associated with the malware outbreak are infected with malware and also performing queries to the
malwarecheck.infodomain that operates as a command and control server.
- Use the Investigation Bar to add the search to your investigation from your Action History in the Investigator Journal. This will allow other analysts to perform the same search in the future.
Locate patient zero with DNS data
Endpoint antivirus products can fail to identify malware infections, but now you know that a DNS query to the
malwarecheck.info domain is an indicator of compromise. Report on DNS queries to this domain to determine the earliest signs of infection in your environment, even for hosts where the antivirus product did not identify an infection.
- In the Search dashboard, run a new search to determine which machines, other than those with the endpoint antivirus alerts, are performing DNS queries for the
tag=dns query=malwarecheck.info NOT [search tag=malware tag=attack signature="TSPY_FAKEMS.C" | eval src=dest | fields src] | stats count by src]
The search results show activity from a single host performing a DNS lookup to the
malwarecheck.infodomain hours before the first antivirus alert.
- Add the event that shows this activity from the single host to your investigation using the event actions of the event.
- Add the search to your investigation from your Action History.
- Add a note to the investigation that the infected machine performed DNS queries for the
Complete your investigation and remediate the malware outbreak
Identify patient zero and take remediation steps. After you identify DNS queries to the
malwarecheck.info domain as an indicator of compromise, you know that the first machine to make contact with that domain was the originator of the malware outbreak: Patient Zero.
- Add a note to your investigation with your findings.
- Advise the tier one analysts to take a forensic image of the machine and wipe it to remove the malware infection.
To identify patient zero in the malware outbreak in your environment, you started by reviewing current notable events for malware. After identifying a troublesome malware signature, you performed additional research to determine additional indicators of compromise to help identify further infected hosts. Then you used DNS data to search for DNS queries that indicated command and control activity and located a host that made a query to the command and control host before any other hosts were infected. To contain the outbreak you took action to contain that host and the malware, and completed your investigation.
Using Enterprise Security to find Malware
Investigating potential zero-day activity with Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1