Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex field extraction

zacksoft_wf
Contributor
‎04-19-2023 03:50 AM

I have a field called 'description'. I want to be able to extract MD5, SHA1, SHA256 values present in this field.
Need help with regular expression. Here is an example of the field value. It's pretty huge. Towards the last you will notice MD5, SHA1, SHA256 values.

Example:
============

Family: alien

alien is a credential theft malware designed to run on a mobile phone running the Android operating system. This malware will attempt to monitor the users activities and steal their data by either logging keystrokes, copying their clipboard content or applying a overlay on top of legitimate applications the malware is instructed to monitor for.

Pattern(s) extracted from web_inject config for this family:

com.wf.Tubeswatermobile


Infrastructure: hxxp://yektkedecaedem.shop
Type: CNC

Infrastructure purpose: A CNC is the interface between the botnet and the threat actor, allowing the threat actor to send commands, exfiltrate data and manage an infected machine.

 

 

Virustotal Report: https://www.virustotal.com/gui/url/b2eba8fb7266c50f23d71d1ref5c5df663962eccf1420d59a14ee2hb5005f6fb/...

Associated Payload Hashes:
MD5 9fagf968da04a2bb464f4842ebd1bd29
SHA1 0bacdak9d1a7dbb975759d687645006f875a388b
SHA256 ba57be868c89b4a342c412c066dc58ed9a888f8009ec512917004380d8e8233e

http://yeytledfcaeden.shop


============

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-19-2023 03:56 AM

Hi @zacksoft_wf , try the following rex that will create 3 fields, one for each hash.

 

 

 

| rex field=description "(?ms)MD5\s+(?<md5>\w+)\s+SHA1\s+(?<sha1>\w+)\s+SHA256\s+(?<sha256>\w+)"

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-19-2023 03:56 AM

Hi @zacksoft_wf , try the following rex that will create 3 fields, one for each hash.

 

 

 

| rex field=description "(?ms)MD5\s+(?<md5>\w+)\s+SHA1\s+(?<sha1>\w+)\s+SHA256\s+(?<sha256>\w+)"

 

 

 

0 Karma
Reply
Solved! Jump to solution

zacksoft_wf
Contributor
‎04-19-2023 04:21 AM

Thank you. May I ask what the "?ms"  is for?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 04:59 AM

Hi @zacksoft_wf,

it's used when the log is multirow.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...