Solved: Splunk search for double file extension

crisp023 · ‎01-07-2020

I am trying to build a use case for files that have a double file extension since these can often be the source of malware. I haven't had any success building a search string for this. Has anyone had any success building a search for locating the execution of double file extensions? Even if I can just build a search for the double file extensions, I can try to go from there. Any thoughts?

Thanks.

jpolvino · ‎01-07-2020

This will pick up double extensions, and ones with more:
"\w+(\.\w+){2,}$

See https://regex101.com/r/0bZcWs/1

View solution in original post

jpolvino · ‎01-07-2020

This will pick up double extensions, and ones with more:
"\w+(\.\w+){2,}$

See https://regex101.com/r/0bZcWs/1

crisp023 · ‎01-07-2020

Thanks!!!!

richgalloway · ‎01-07-2020

Searching for the regular expression \.[^\.]+\. should locate files with 2 extensions. You should search specific fields to avoid false positives.

---
If this reply helps you, Karma would be appreciated.

crisp023 · ‎01-07-2020

Thanks! I'll give it a try.

Splunk search for double file extension

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!