Executable uploaded to a web server
Your web server has been breached by an attacker and you suspect the attacker has uploaded an executable in order to continue the attack. You want to find the executable.
Required data
Procedure
This sample search uses Splunk Stream. You can replace this source with any other web server data used in your organization.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=stream:http dest=<IP address of infected server> *.exe
- In the field sections on the left, find and click part_filename{}. Then review the values for any suspicious .exe files.
Stream requires special configuration. If you do not see the fields referenced in this procedure, see the Splunk Stream Installation and Configuration Manual.
- When you have identified a suspicious file .exe, verify your findings using other sourcetypes. For example, if you found the suspicious executable example.exe, you might search:
sourcetype=suricata dest_ip=<IP address of infected server> http_method=POST .exe
- In the field sections on the left, find and click fileinfo.filename. Then review the values for the same example.exe executable.
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype=stream:http |
Search only web traffic data from Splunk Stream logs. |
dest=<IP address of infected server> |
Search only the affected server. Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. Example: Example: |
*.exe |
Search for executables. |
http_method=POST |
Search for a request pushed to the server. In this case, the request is an upload of an executable. |
Next steps
The result of this search is an executable that you will likely want to investigate further. Clicking on the name of an executable in the results to add it to the search allows you to get other potentially useful information, such as its source IP address. You can use that to corroborate other findings in your investigation.
Finally, you might be interested in other processes associated with these use cases.