Skip to main content
 
Splunk Lantern

Executable uploaded to a web server

 

​​​​​​​​Your web server has been breached by an attacker and you suspect the attacker has uploaded an executable in order to continue the attack. You want to find the executable.

Required data  

Procedure 

This sample search uses Splunk Stream. You can replace this source with any other web server data used in your organization.

  1. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=stream:http dest=<IP address of infected server> *.exe
  1. In the field sections on the left, find and click part_filename{}. Then review the values for any suspicious .exe files.

Stream requires special configuration. If you do not see the fields referenced in this procedure, see the Splunk Stream Installation and Configuration Manual.

  1. When you have identified a suspicious file .exe, verify your findings using other sourcetypes. For example, if you found the suspicious executable example.exe, you might search:
    sourcetype=suricata dest_ip=<IP address of infected server> http_method=POST .exe
  2. In the field sections on the left, find and click fileinfo.filename. Then review the values for the same example.exe executable.

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=stream:http 

Search only web traffic data from Splunk Stream logs.

dest=<IP address of infected server>

Search only the affected server.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:
(dest=”192.0.2.0” OR dest_ip=”192.0.2.0”)

Example:
(dest=”192.0.2.0” OR dest=”example.com”)

*.exe

Search for executables.

http_method=POST

Search for a request pushed to the server. In this case, the request is an upload of an executable.

Next steps 

The result of this search is an executable that you will likely want to investigate further. Clicking on the name of an executable in the results to add it to the search allows you to get other potentially useful information, such as its source IP address. You can use that to corroborate other findings in your investigation. 

Finally, you might be interested in other processes associated with these use cases.