Connections between network devices and an individual machine
A user on your network reports that his machine has been infected with malware. You need to know the user’s machine connected to a file server during the infection to understand the possible scope of the infection.
Required data
Option 1
This sample search uses Sysmon data. You can replace this source with any other system log data used in your organization.
- Run the following search.You can optimize it by specifying an index and adjusting the time range.
src=<path to the user's workstation> sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
- In the field sections on the left, click EventDescription.
- Look for a value that indicates a connection to the network, then click it to add it to the search.
- Add the following command to the search and rerun it:
|stats count BY dest_ip |sort - count
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
src=<path to the user's workstation> |
Search only connections coming from this user's workstation. If you don't know the whole path, you can search on the host name first, then examine the src field values to find the path. |
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Search only Windows Sysmon operational logs. |
|stats count BY dest_ip |
Count the number of times the individual machine connected to different devices on the network. |
|sort - count |
Sort the results by the destination with the highest number of connections first. |
Result
The table shows all network destinations that the individual connected to during the time range you set.
Option 2
- Set the search time range to the time the infection began, if known.
- Enter the following search command into the search bar:
index=<indexname> host=<hostname> sourcetype=winregistry fileshare
Search explanation
Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
host=<hostname> |
Restrict your search to the known infected host. |
sourcetype=winregistry |
Search only Windows Registry logs. |
fileshare |
Search for results with the “fileshare” string. The string “explorer” can also provide relevant results for this scenario. |
Result
The results include a key_path
field that provides the IP address of the fileshare on the network.
You can use this IP address to identify the devices the user connected to and any processes that occurred. This information is useful in determining the scope of the infection.
Next steps
Finally, you might be interested in other processes associated with the Investigating a ransomware attack use case.