File downloaded to a machine from a website
A user’s system has been infected with ransomware. You suspect that the source was a file the user downloaded from a suspicious website.
Required data
Procedure
This sample search uses Stream HTTP data. You can replace this source with any other network communication data used in your organization.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=stream:http src=<IP address of infected machine> |stats count values(url) BY dest
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
|
Search only web traffic data from Splunk Stream logs. |
|
Search logs coming from the infected machine. |
|
Return all visited URLs, grouped by destination IP address, with a total count. |
Next steps
The results show files that were downloaded to users machines as a result of websites they visited. If you see the suspicious file associated with the same domains across multiple log source types, you can have a fair amount of confidence that it’s the file you want. However, you should also take the following steps:
- Research suspicious file names to see if they have been reported elsewhere.
- Corroborate your findings using other source types.
- Research key attributes. Many security firms blog about popular implementations of ransomware or malware.
When you know more about the file, you can determine the appropriate steps to take.
Finally, you might be interested in other processes associated with the Investigating a ransomware attack use case.