You might need to identify files that were downloaded from removable media, such as a USB stick, when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
Example
A user plugged a USB stick into his machine. You suspect that the files the user downloaded from the USB stick are malicious and want to identify them.
NOTE: To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Sysmon data. You can replace this source with any other operating system event data used in your organization.
- Set the search time range to the date the user inserted the USB stick, if known.
- Run the following search:
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational host=<hostname> (CommandLine="d:\\*" OR ParentCommandLine="d:\\*")
|table _time CommandLine ParentCommandLine
|sort _time
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search |
Explanation |
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Search only Windows Sysmon operational logs. Tip: Sysmon can create many types of logs. As your organization scales, you’ll want to be wise with the kinds of events Sysmon captures. SwiftOnSecurity offers a popular XML configuration file. |
(CommandLine="d:\\*" OR ParentCommandLine="d:\\*") |
Search for command line and parent command line processes that reference the drive where the USB stick was inserted. Note: The second backslash is used to escape the backslash in the file path. Without it, your search will not run correctly. |
|table _time CommandLine ParentCommandLine |
Display only these fields in a table with the columns in the order shown. |
|sort _time |
Sort the results from oldest to newest. |
Result
The files found in the results are those downloaded from the USB stick. Look for known suspicious file types. For example, malware authors sometimes use the .dotm Microsoft Word format because of the ability to embed macros and other scripts within it.
Comments
0 comments
Please sign in to leave a comment.