Skip to main content
Splunk Lantern

Executable uploaded to a web server

You might need to investigate whether files or executables were uploaded to a web server when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example 

Your web server has been breached by an attacker and you suspect the attacker has uploaded an executable in order to continue the attack. You want to find the executable.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Splunk Stream. You can replace this source with any other web server data used in your organization.

  1. Run the following search:
sourcetype=stream:http dest=<IP address of infected server> *.exe
  1. In the field sections on the left, find and click part_filename{}. Then review the values for any suspicious .exe files.

Stream requires special configuration. If you do not see the fields referenced in this procedure, see the Splunk Stream Installation and Configuration Manual on the Splunk documentation site.

  1. When you have identified a suspicious file .exe, verify your findings using other sourcetypes. For example, if you found the suspicious executable example.exe, you might search:
    sourcetype=suricata dest_ip=<IP address of infected server> http_method=POST .exe
  2. In the field sections on the left, find and click fileinfo.filename. Then review the values for the same example.exe executable.

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=stream:http 

Search only web traffic data from Splunk Stream logs.

dest=<IP address of infected server>

Search only the affected server.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:
(dest=”192.0.2.0” OR dest_ip=”192.0.2.0”)

Example:
(dest=”192.0.2.0” OR dest=”example.com”)

*.exe

Search for executables.

http_method=POST

Search for a request pushed to the server. In this case, the request is an upload of an executable.

Result

The result of this search is an executable that you will likely want to investigate further. Clicking on the name of an executable in the results to add it to the search allows you to get other potentially useful information, such as its source IP address. You can use that to corroborate other findings in your investigation. 

  • Was this article helpful?