Skip to main content
Splunk Lantern

File added to the system through external media

You might need to identify files that were downloaded from removable media, such as a USB stick, when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

A user plugged a USB stick into his machine. You suspect that the files the user downloaded from the USB stick are malicious and want to identify them.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Sysmon data. You can replace this source with any other system log data used in your organization.

  1. Set the search time range to the date the user inserted the USB stick, if known.
  2. Run the following search:
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational host=<hostname> (CommandLine="d:\\*" OR ParentCommandLine="d:\\*")
|table _time CommandLine ParentCommandLine
|sort _time

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Search only Windows Sysmon operational logs.

Sysmon can create many types of logs. As your organization scales, you’ll want to be wise with the kinds of events Sysmon captures. SwiftOnSecurity offers a popular XML configuration file.

(CommandLine="d:\\*" OR ParentCommandLine="d:\\*")

Search for command line and parent command line processes that reference the drive where the USB stick was inserted.

The second backslash is used to escape the backslash in the file path. Without it, your search will not run correctly.

|table _time CommandLine ParentCommandLine

Display only these fields in a table with the columns in the order shown.

|sort _time

Sort the results from oldest to newest.

Result

The files found in the results are those downloaded from the USB stick. Look for known suspicious file types. For example, malware authors sometimes use the .dotm Microsoft Word format because of the ability to embed macros and other scripts within it.

  • Was this article helpful?