Skip to main content
 
 
 
Splunk Lantern

Connections between network devices and an individual machine

 

A user on your network reports that his machine has been infected with malware. You need to know the user’s machine connected to a file server during the infection to understand the possible scope of the infection.

Required data  

System log data

Option 1

This sample search uses Sysmon data. You can replace this source with any other system log data used in your organization.

  1. Run the following search.You can optimize it by specifying an index and adjusting the time range.
    src=<path to the user's workstation> sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  2. In the field sections on the left, click EventDescription.
  3. Look for a value that indicates a connection to the network, then click it to add it to the search.
  4. Add the following command to the search and rerun it:
    |stats count BY dest_ip
    |sort - count
    

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

src=<path to the user's workstation>

Search only connections coming from this user's workstation.

If you don't know the whole path, you can search on the host name first, then examine the src field values to find the path.

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Search only Windows Sysmon operational logs.

|stats count BY dest_ip

Count the number of times the individual machine connected to different devices on the network.

|sort - count

Sort the results by the destination with the highest number of connections first.

Result

The table shows all network destinations that the individual connected to during the time range you set.

Option 2

  1. Set the search time range to the time the infection began, if known.
  2. Enter the following search command into the search bar:
    index=<indexname> host=<hostname> sourcetype=winregistry fileshare
    

Search explanation

Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

host=<hostname>

Restrict your search to the known infected host.

sourcetype=winregistry

Search only Windows Registry logs.

fileshare

Search for results with the “fileshare” string.

The string “explorer” can also provide relevant results for this scenario.

Result

The results include a key_path field that provides the IP address of the fileshare on the network. 

You can use this IP address to identify the devices the user connected to and any processes that occurred. This information is useful in determining the scope of the infection.

Next steps

Finally, you might be interested in other processes associated with the Investigating a ransomware attack use case.