Skip to main content
Splunk Lantern

Files that belong to a network user

​​​​​​​​A user reports a ransomware attack on their machine. You need to determine how many text files were encrypted as part of the attack.

Required data

System log data

Procedure  

This sample search uses Sysmon data. You can replace this source with any other system log data used in your organization.

Run the following search.You can optimize it by specifying an index and adjusting the time range.

host=<hostname> sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=2 TargetFilename="C:\\Users\\<username>\\<domain>\\*.txt"
|stats dc(TargetFilename)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

host=<hostname> 

Restrict your search to the known infected host.

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 

Search only Windows Sysmon operational logs.

Sysmon can create many types of logs. As your organization scales, you’ll want to be wise with the kinds of events Sysmon captures. SwiftOnSecurity offers a popular XML configuration file.

EventCode=2 

Search for a file creation time that was modified by a process in Sysmon data.

Attackers might change the file creation time of a backdoor to make it look like it was installed with the operating system. However, many processes legitimately change the creation time of a file, so this does not necessarily indicate malicious activity.

TargetFilename="C:\\Users\\<location>\\*.txt"

Search for all files of a certain type (.txt in this example) that belong to the user.

Example: TargetFilename="C:\\Users\\bob.smith.WAYNECORPINC\\*.txt"

The second backslash is used to escape the backslash in the file path. Without it, your search will not run correctly.

|stats dc(TargetFilename)

Provide a distinct count of the number of affected files.

Next steps

Without the stats command, the search returns an event log for each text file encrypted by the ransomware. The stats command provides a total count. 

Finally, you might be interested in other processes associated with the Investigating a ransomware attack use case.