Potential Widespread Malware Infection Across Multiple Hosts

This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to prioritize triage and response, as this can potentially indicate a widespread malware infection.

Rule type: esql

Rule indices: None

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://github.com/elastic/protections-artifacts/tree/main/yara/rules

Tags:

Domain: Endpoint
Data Source: Elastic Defend
Use Case: Threat Detection
Tactic: Execution
Rule Type: Higher-Order Rule

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

from logs-endpoint.alerts-*
| where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null
| keep host.id, rule.name, event.code
| stats hosts = count_distinct(host.id) by rule.name, event.code
| where hosts >= 3

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: User Execution
- ID: T1204
- Reference URL: https://attack.mitre.org/techniques/T1204/
Sub-technique:
- Name: Malicious File
- ID: T1204.002
- Reference URL: https://attack.mitre.org/techniques/T1204/002/

« Potential WSUS Abuse for Lateral Movement Potential Windows Error Manager Masquerading »