Splunk Enterprise Security

Splunk search for double file extension

crisp023
New Member

I am trying to build a use case for files that have a double file extension since these can often be the source of malware. I haven't had any success building a search string for this. Has anyone had any success building a search for locating the execution of double file extensions? Even if I can just build a search for the double file extensions, I can try to go from there. Any thoughts?

Thanks.

0 Karma
1 Solution

jpolvino
Builder

This will pick up double extensions, and ones with more:
"\w+(\.\w+){2,}$

See https://regex101.com/r/0bZcWs/1

View solution in original post

0 Karma

jpolvino
Builder

This will pick up double extensions, and ones with more:
"\w+(\.\w+){2,}$

See https://regex101.com/r/0bZcWs/1

0 Karma

crisp023
New Member

Thanks!!!!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Searching for the regular expression \.[^\.]+\. should locate files with 2 extensions. You should search specific fields to avoid false positives.

---
If this reply helps you, Karma would be appreciated.
0 Karma

crisp023
New Member

Thanks! I'll give it a try.

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...