Skip to main content

File added to the system through external media

  • Updated

You might need to identify files that were downloaded from removable media, such as a USB stick, when doing the following:

Prerequisites 

In order to execute this procedure in your environment, you may need to first on-board the data, services, or apps shown in the following table.

Category

Name

Importance

Data

Operating system event data

Required

Data

Microsoft Sysmon

Example

 

Example

The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source. 

A user plugged a USB stick into his machine. You suspect that the files the user downloaded from the USB stick are malicious and want to identify them.

  1. Set the search time range to the date the user inserted the USB stick, if known.
  2. Run the following search:
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational host=<hostname> (CommandLine="d:\\*" OR ParentCommandLine="d:\\*")
|table _time CommandLine ParentCommandLine
|sort _time

 

Search Explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Search only Windows Sysmon operational logs.

Tip: Sysmon can create many types of logs. As your organization scales, you’ll want to be wise with the kinds of events Sysmon captures. SwiftOnSecurity offers a popular XML configuration file.

(CommandLine="d:\\*" OR ParentCommandLine="d:\\*")

Search for command line and parent command line processes that reference the drive where the USB stick was inserted.

Note: The second backslash is used to escape the backslash in the file path. Without it, your search will not run correctly.

|table _time CommandLine ParentCommandLine

Display only these fields in a table with the columns in the order shown.

|sort _time

Sort the results from oldest to newest.

 

Result

The files found in the results are those downloaded from the USB stick. Look for known suspicious file types. For example, malware authors sometimes use the .dotm Microsoft Word format because of the ability to embed macros and other scripts within it.

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.