Skip to main content

File downloaded to a machine from a website

  • Updated

You might need to investigate whether files were downloaded to a machine from a malicious website, even when you don’t know the names of the website or the files. The ability to sort through all files and websites efficiently can be useful when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example 

A user’s system has been infected with ransomware. You suspect that the source was a file the user downloaded from a suspicious website.

NOTE: To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Stream HTTP data. You can replace this source with any other network packet inspection data used in your organization.

  1. Run the following search:
sourcetype=stream:http src=<IP address of infected machine>
|stats count values(url) BY dest
  1. Review the results for values that you find suspicious. Research key attributes. Many security firms blog about popular implementations of ransomware or malware.
  2. After you have identified a suspicious file type, corroborate your findings using other sourcetypes. For example, if you found the suspicious file mhtr.jpg, you might search:
sourcetype=suricata src=<IP address of infected machine> url=<the suspicious URL identified in the previous search>
|stats count values(url) BY dest

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

sourcetype=stream:http 

Search only web traffic data from Splunk Stream logs.

src=<IP address of infected machine>

Search logs coming from the infected machine.

|stats count values(url) BY dest

Return all visited URLs, grouped by destination IP address, with a total count.

 

Result

The results show files that were downloaded to the user’s machine as a result of websites he visited. If you see the suspicious file associated with the same domains across multiple log source types, you can have a fair amount of confidence that it’s the file you want. Research suspicious file names to see if they have been reported elsewhere. When you know more about the file, you can determine the appropriate steps to take. 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.