Files a user uploaded to a network file share
A user reports a ransomware attack on a machine. The user put a number of files on a network file share after the attack. You need to determine how many PDFs on the file share were encrypted as part of the attack.
Required data
Procedure
This sample search uses Windows event logs. You can replace this source with any other network sessions data used in your organization.
Run the following search.You can optimize it by specifying an index and adjusting the time range.
sourcetype=*win* pdf dest=<hostname of fileshare> Source_address=<IP address of infected system> |stats dc(TargetFilename)
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
|
Search only Windows event logs. |
|
|
Search for all files of a certain type (.pdf in this example) on the file share. |
|
|
Search the affected system, in this case, a file share on the network. Logs vary in the information they contain. Not all logs have host names or IP addresses. Sometimes the dest field will have a hostname in it, but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. Example: Example: |
|
|
Search for files that came from the infected system. |
|
|
Provide a distinct count of the number of affected files. |
Next steps
Without the stats command, the search returns an event log for each PDF on the file share that was encrypted by the ransomware. The stats command provides a total count.
Finally, you might be interested in other processes associated with the Investigating a ransomware attack use case.