A user on your network reports that his machine has been infected with malware. You need to know the user’s machine connected to a file server during the infection to understand the possible scope of the infection.
- Run the following search.You can optimize it by specifying an index and adjusting the time range.
src=<path to the user's workstation> sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
- In the field sections on the left, click EventDescription.
- Look for a value that indicates a connection to the network, then click it to add it to the search.
- Add the following command to the search and rerun it:
|stats count BY dest_ip |sort - count
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
src=<path to the user's workstation>
Search only connections coming from this user's workstation.
If you don't know the whole path, you can search on the host name first, then examine the src field values to find the path.
Search only Windows Sysmon operational logs.
|stats count BY dest_ip
Count the number of times the individual machine connected to different devices on the network.
|sort - count
Sort the results by the destination with the highest number of connections first.
The table shows all network destinations that the individual connected to during the time range you set.
- Set the search time range to the time the infection began, if known.
- Enter the following search command into the search bar:
index=<indexname> host=<hostname> sourcetype=winregistry fileshare
Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Restrict your search to the known infected host.
Search only Windows Registry logs.
Search for results with the “fileshare” string.
The string “explorer” can also provide relevant results for this scenario.
The results include a
key_path field that provides the IP address of the fileshare on the network.
You can use this IP address to identify the devices the user connected to and any processes that occurred. This information is useful in determining the scope of the infection.
Finally, you might be interested in other processes associated with the Investigating a ransomware attack use case.