Navigation :

Batch File Write To System32

Description

The search looks for a batch file (.bat) written to the Windows system directory tree.

Help
Batch File Write To System32 Help You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Help

Batch File Write To System32 Help

You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Search
\| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user from datamodel=Endpoint.Filesystem by Filesystem.file_path \| `drop_dm_object_name(Filesystem)` \| `security_content_ctime(lastTime)` \| `security_content_ctime(firstTime)`\| rex field=file_name "(?<file_extension>\.[^\.]+)$" \| search file_path=system32 AND file_extension=.bat \| `batch_file_write_to_system32_filter` Open in Search

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user from datamodel=Endpoint.Filesystem by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name "(?<file_extension>\.[^\.]+)$" | search file_path=*system32* AND file_extension=.bat | `batch_file_write_to_system32_filter`

Open in Search