Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Rex field extraction

zacksoft_wf
Contributor
‎04-19-2023 03:50 AM

I have a field called 'description'. I want to be able to extract MD5, SHA1, SHA256 values present in this field.
Need help with regular expression. Here is an example of the field value. It's pretty huge. Towards the last you will notice MD5, SHA1, SHA256 values.

Example:
============

Family: alien

alien is a credential theft malware designed to run on a mobile phone running the Android operating system. This malware will attempt to monitor the users activities and steal their data by either logging keystrokes, copying their clipboard content or applying a overlay on top of legitimate applications the malware is instructed to monitor for.

Pattern(s) extracted from web_inject config for this family:

com.wf.Tubeswatermobile


Infrastructure: hxxp://yektkedecaedem.shop
Type: CNC

Infrastructure purpose: A CNC is the interface between the botnet and the threat actor, allowing the threat actor to send commands, exfiltrate data and manage an infected machine.

 

 

Virustotal Report: https://www.virustotal.com/gui/url/b2eba8fb7266c50f23d71d1ref5c5df663962eccf1420d59a14ee2hb5005f6fb/...

Associated Payload Hashes:
MD5 9fagf968da04a2bb464f4842ebd1bd29
SHA1 0bacdak9d1a7dbb975759d687645006f875a388b
SHA256 ba57be868c89b4a342c412c066dc58ed9a888f8009ec512917004380d8e8233e

http://yeytledfcaeden.shop


============

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-19-2023 03:56 AM

Hi @zacksoft_wf , try the following rex that will create 3 fields, one for each hash.

 

 

 

| rex field=description "(?ms)MD5\s+(?<md5>\w+)\s+SHA1\s+(?<sha1>\w+)\s+SHA256\s+(?<sha256>\w+)"

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-19-2023 03:56 AM

Hi @zacksoft_wf , try the following rex that will create 3 fields, one for each hash.

 

 

 

| rex field=description "(?ms)MD5\s+(?<md5>\w+)\s+SHA1\s+(?<sha1>\w+)\s+SHA256\s+(?<sha256>\w+)"

 

 

 

0 Karma
Reply
Solved! Jump to solution

zacksoft_wf
Contributor
‎04-19-2023 04:21 AM

Thank you. May I ask what the "?ms"  is for?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 04:59 AM

Hi @zacksoft_wf,

it's used when the log is multirow.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...