You might need to find all files a user uploaded to a network file share when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
Example
A user reports a ransomware attack on their machine. The user put a number of files on a network file share after the attack. You need to determine how many PDFs on the file share were encrypted as part of the attack.
NOTE: To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Windows event logs. You can replace this source with any other operating system event data used in your organization.
- Run the following search:
sourcetype=*win* pdf dest=<hostname of fileshare> Source_address=<IP address of infected system>
|stats dc(TargetFilename)
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
sourcetype=*win* |
Search only Windows event logs. |
|
|
Search for all files of a certain type (.pdf in this example) on the file share. |
|
dest=<hostname of fileshare> |
Search the affected system, in this case, a file share on the network. Tip: Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. Example: Example: (dest="192.0.2.0" OR dest="example.com") |
|
Source_address=<IP address of infected system> |
Search for files that came from the infected system. |
|
|stats dc(TargetFilename) |
Provide a distinct count of the number of affected files. |
Result
Without the stats command, the search returns an event log for each PDF on the file share that was encrypted by the ransomware. The stats command provides a total count.
Comments
0 comments
Please sign in to leave a comment.