Salem Spellbook
A series of alert triage runbooks for information security analysts

Malware

Malware alerts detect potentially malicious code on a host system. These alerts can be triggered based on indicators of compromise (IOC) such as a known bad file name or they can be triggered by the behavior of executed code.

Get Runbook PDF

Common Alerts

Alerts that typically can be triaged with this runbook:
  • Suspicious File hash/name/path detected
  • Potentially unwanted/unauthorized  applications in use
  • Reconnaissance tool Detected
  • Potential Key Logger Detected
  • Detection of malicious process or files
  • Process started from unusual Directories like Recycle bin
  • Multiple new process identified on same host
  • Multiple unauthorized file modifications on windows host
  • Scheduled tasks created on multiple hosts
  • RDP Hijacking Tool Detected (Ex : Wanna Cry Ransomeware)
  • Multiple new services identified on same host
  • Internal Connection to Host Categorized as Malware
  • Internal Host Communication with Malware URL
  • Possible Local Worm Detected
  • Malicious Signature detected on Imperva WAF from Same Source to Multiple Destination
  • Virus Detected on Critical Server
  • Spyware Activity Observed
  • Same Threat Detected on Multiple Hosts

Typical false positive scenarios

Most alerts you'll see as a cyber analyst are false positives, here are top false positive scenarios to consider when you're deciding an alert should be escalated to incident response.

Anti-Virus identified blocked and cleaned a potential malware infection
Many organizations will consider this a false positive, since the remediation is complete.  Consult your IR plan.

Legitimate IT software is flagged as malicious
IT organization sometimes add software that behave in similar ways to malware and can be flagged by AV tools.

Anti-Virus incorrectly flagged custom script files that is non-malicious
Custom scripts files are often non-signed by a trusted source which can cause AV to be more likely to flag as malicious.

Tools, such as remote desktop applications will be flagged as potential unwanted software
Attackers and system owners use tools that can have legitimate or malicious uses.  These can be flagged even when used for a legitimate business purpose.

Have questions or changes to propose?

Join the conversation on Twitter @salemcyber

Have too many False Positives?

Learn how Salem, the AI cyber analyst can Reduce false postives for this and many more Cyber Threat Use cases

Learn More
Friends of Salem Newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.