Skip to main content
Splunk Lantern

Files that belong to a network user

You might need to find all files of a certain type that belong to a user on your network when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example 

A user reports a ransomware attack on his machine. You need to determine how many of her text files were encrypted as part of the attack.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Sysmon data. You can replace this source with any other system log data used in your organization.

  1. Run the following search:
host=<hostname> sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=2 TargetFilename="C:\\Users\\<username>\\<domain>\\*.txt"
|stats dc(TargetFilename)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

host=<hostname> 

Restrict your search to the known infected host.

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 

Search only Windows Sysmon operational logs.

Sysmon can create many types of logs. As your organization scales, you’ll want to be wise with the kinds of events Sysmon captures. SwiftOnSecurity offers a popular XML configuration file.

EventCode=2 

Search for a file creation time that was modified by a process in Sysmon data.

Attackers might change the file creation time of a backdoor to make it look like it was installed with the operating system. However, many processes legitimately change the creation time of a file, so this does not necessarily indicate malicious activity.

TargetFilename="C:\\Users\\<location>\\*.txt"

Search for all files of a certain type (.txt in this example) that belong to the user.

Example: TargetFilename="C:\\Users\\bob.smith.WAYNECORPINC\\*.txt"

The second backslash is used to escape the backslash in the file path. Without it, your search will not run correctly.

|stats dc(TargetFilename)

Provide a distinct count of the number of affected files.

Result

Without the stats command, the search returns an event log for each text file encrypted by the ransomware. The stats command provides a total count. 

  • Was this article helpful?