Splunk Enterprise Security

Splunk search for double file extension

New Member

I am trying to build a use case for files that have a double file extension since these can often be the source of malware. I haven't had any success building a search string for this. Has anyone had any success building a search for locating the execution of double file extensions? Even if I can just build a search for the double file extensions, I can try to go from there. Any thoughts?

Thanks.

0 Karma
1 Solution

Builder

This will pick up double extensions, and ones with more:
"\w+(\.\w+){2,}$

See https://regex101.com/r/0bZcWs/1

View solution in original post

0 Karma

Builder

This will pick up double extensions, and ones with more:
"\w+(\.\w+){2,}$

See https://regex101.com/r/0bZcWs/1

View solution in original post

0 Karma

New Member

Thanks!!!!

0 Karma

SplunkTrust
SplunkTrust

Searching for the regular expression \.[^\.]+\. should locate files with 2 extensions. You should search specific fields to avoid false positives.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Thanks! I'll give it a try.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!