Splunk Enterprise Security

Splunk search for double file extension

New Member

I am trying to build a use case for files that have a double file extension since these can often be the source of malware. I haven't had any success building a search string for this. Has anyone had any success building a search for locating the execution of double file extensions? Even if I can just build a search for the double file extensions, I can try to go from there. Any thoughts?

Thanks.

0 Karma
1 Solution

Builder

This will pick up double extensions, and ones with more:
"\w+(\.\w+){2,}$

See https://regex101.com/r/0bZcWs/1

View solution in original post

0 Karma

Builder

This will pick up double extensions, and ones with more:
"\w+(\.\w+){2,}$

See https://regex101.com/r/0bZcWs/1

View solution in original post

0 Karma

New Member

Thanks!!!!

0 Karma

SplunkTrust
SplunkTrust

Searching for the regular expression \.[^\.]+\. should locate files with 2 extensions. You should search specific fields to avoid false positives.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Thanks! I'll give it a try.

0 Karma