Skip to main content
Splunk Lantern

Files a user uploaded to a network file share

A user reports a ransomware attack on their machine. The user put a number of files on a network file share after the attack. You need to determine how many PDFs on the file share were encrypted as part of the attack.

Required data

System log data

Procedure  

This sample search uses Windows event logs. You can replace this source with any other system log data used in your organization.

Run the following search.You can optimize it by specifying an index and adjusting the time range.

sourcetype=*win* pdf dest=<hostname of fileshare> Source_address=<IP address of infected system>
|stats dc(TargetFilename)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=*win* 

Search only Windows event logs.

pdf 

Search for all files of a certain type (.pdf in this example) on the file share.

dest=<hostname of fileshare> 

Search the affected system, in this case, a file share on the network.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:
(dest="192.0.2.0" OR dest_ip="192.0.2.0")

Example:
(dest="192.0.2.0" OR dest="example.com")

Source_address=<IP address of infected system>

Search for files that came from the infected system.

|stats dc(TargetFilename)

Provide a distinct count of the number of affected files.

Next steps

Without the stats command, the search returns an event log for each PDF on the file share that was encrypted by the ransomware. The stats command provides a total count. 

Finally, you might be interested in other processes associated with the Investigating a ransomware attack use case.