Skip to main content
 
 
 
Splunk Lantern

Suspicious domains visited by a user

 

A user has reported ransomware on her machine. You think that it might have been downloaded from a malicious website.

Required data  

Deep packet inspection data

Procedure

This sample search uses Stream DNS data. You can replace this source with any other deep packet inspection data used in your organization.

  1. Run the following search.You can optimize it by specifying an index and adjusting the time range.
    sourcetype=stream:DNS src=<IP address of infected machine> record_type=A
    |table _time query{} src dest
    |reverse
  2. In the field sections on the left, find and click query.
  3. Examine the websites the user visited. 
  4. Decide what domains or other results you can eliminate from your search to make your investigation more efficient. For example, Google and Microsoft websites are probably safe. A Whois search can help you decide what domains to whitelist.
  5. Update the record_type parameter of your search as necessary. For example, to eliminate all microsoft.com and live.com sites, use:
    record_type=A NOT(query{}=*.microsoft.com OR query{}=*.live.com

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=stream:DNS

Search only DNS data from Splunk Stream logs.

src=<IP address of infected machine>

Search logs coming from the infected machine.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the src field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:
(src="192.0.2.0" OR src_ip="192.0.2.0")

Example:
(src="192.0.2.0" OR src="example.com")

record_type=A

Search only DNS A records, which return IPv4 addresses.

|table _time query{} src dest

Display the results in a table with the fields in the order shown.

|reverse

Display the results from oldest to newest.

Next steps

The results show the websites the user visited that might have been the source of the ransomware. Next, you might want to ask the user about the purpose of the suspicious websites and what kind of content they include. If the websites are safe, investigate other possible origins of the problem:

Finally, you might be interested in other processes associated with the Investigating a ransomware attack use case.