Skip to main content
Splunk Lantern

File added to the system through external media

​​​​​​​​A user plugged a USB stick into their machine. You suspect that the files the user downloaded from the USB stick are malicious and want to identify them.

Required data

System log data

Procedure

This sample search uses Sysmon data. You can replace this source with any other system log data used in your organization.

  1. Set the search time range to the date the user inserted the USB stick, if known.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational host=<hostname> (CommandLine="d:\\*" OR ParentCommandLine="d:\\*")
|table _time CommandLine ParentCommandLine
|sort _time

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Search only Windows Sysmon operational logs.

Sysmon can create many types of logs. As your organization scales, you’ll want to be wise with the kinds of events Sysmon captures. SwiftOnSecurity offers a popular XML configuration file.

(CommandLine="d:\\*" OR ParentCommandLine="d:\\*")

Search for command line and parent command line processes that reference the drive where the USB stick was inserted.

The second backslash is used to escape the backslash in the file path. Without it, your search will not run correctly.

|table _time CommandLine ParentCommandLine

Display only these fields in a table with the columns in the order shown.

|sort _time

Sort the results from oldest to newest.

Next steps

The files found in the results are those downloaded from the USB stick. Look for known suspicious file types. For example, malware authors sometimes use the .dotm Microsoft Word format because of the ability to embed macros and other scripts within it.

Finally, you might be interested in other processes associated with the Investigating a ransomware attack use case.