Skip to main content
Splunk Lantern

MD5 hash of an uploaded file

You might need to investigate whether files or executables were uploaded to a web server when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example 

A suspicious executable has been uploaded to your web server. You want to find the MD5 hash of the executable so you can investigate further.

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search:
<name of executable> sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 CommandLine="<name of executable>"
|stats values(MD5)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

<name of executable>

Search for the executable.

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Search Sysmon operational logs.

Sysmon can create many types of logs. As your organization scales, you’ll want to be wise with the kinds of events Sysmon captures. SwiftOnSecurity offers a popular XML configuration file.

EventCode=1 

Search for process creation events. The MD5 hash is captured when the process launches.

CommandLine="<name of executable>"

Search for the process that spawned the .exe. 

|stats values(MD5)

Show values for the MD5 field.

Result

If there are different versions of executables compiled, you might get a number of MD5 values. Use whitelisting to isolate known good hashes and then continue your investigation with what remains. You can also use open source intelligence (OSINT) to find additional metadata for the MD5 hash that can help your investigation. 

  • Was this article helpful?