- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
crisp023
New Member
01-07-2020
05:55 AM
I am trying to build a use case for files that have a double file extension since these can often be the source of malware. I haven't had any success building a search string for this. Has anyone had any success building a search for locating the execution of double file extensions? Even if I can just build a search for the double file extensions, I can try to go from there. Any thoughts?
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jpolvino
Builder
01-07-2020
08:50 AM
This will pick up double extensions, and ones with more:
"\w+(\.\w+){2,}$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jpolvino
Builder
01-07-2020
08:50 AM
This will pick up double extensions, and ones with more:
"\w+(\.\w+){2,}$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
crisp023
New Member
01-07-2020
09:27 AM
Thanks!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
01-07-2020
06:40 AM
Searching for the regular expression \.[^\.]+\. should locate files with 2 extensions. You should search specific fields to avoid false positives.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
crisp023
New Member
01-07-2020
08:17 AM
Thanks! I'll give it a try.
