File added to the system through external media
A user plugged a USB stick into their machine. You suspect that the files the user downloaded from the USB stick are malicious and want to identify them.
Required data
Procedure
This sample search uses Sysmon data. You can replace this source with any other change events data used in your organization.
- Set the search time range to the date the user inserted the USB stick, if known.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational host=<hostname> (CommandLine="d:\\*" OR ParentCommandLine="d:\\*") |table _time CommandLine ParentCommandLine |sort _time
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
|
Search only Windows Sysmon operational logs. Sysmon can create many types of logs. As your organization scales, you’ll want to be wise with the kinds of events Sysmon captures. SwiftOnSecurity offers a popular XML configuration file. |
|
|
Search for command line and parent command line processes that reference the drive where the USB stick was inserted. The second backslash is used to escape the backslash in the file path. Without it, your search will not run correctly. |
|
|
Display only these fields in a table with the columns in the order shown. |
|
|
Sort the results from oldest to newest. |
Next steps
The files found in the results are those downloaded from the USB stick. Look for known suspicious file types. For example, malware authors sometimes use the .dotm Microsoft Word format because of the ability to embed macros and other scripts within it.
Finally, you might be interested in other processes associated with the Investigating a ransomware attack use case.