Bro does awesome things with network data. One of those things is performing an analysis of files on the wire, including hashing. WLS does hashing of executed files and loaded DLLs, and tracks each hash that has been seen on the host, setting “NewHash=True” for the first instance.
I wanted to track PE files that have been seen on the wire (downloaded) then executed for the first time with some basic statistics. The resulting Splunk search looks for all Bro file analysis logs of PE files that contain an MD5, matches that with WLS logs containing the same MD5, does a distinct host count, and reports the unique hash data with the distinct host count. If you have Bro monitoring internal and external traffic you’ll also see things such as managed anti-virus updates or patches. The WLS file metadata optionally includes the Zone field, which can come in handy for differentiating the source of the files.
Internet Explorer Zone Number Mapping
Value | Setting |
0 | My Computer |
1 | Local Intranet Zone |
2 | Trusted sites Zone |
3 | Internet Zone |
4 | Restricted Sites Zone |
Here’s the current Splunk search I’m using for alerting:
`wlslogs` NewHash=True [ search sourcetype=bro_files PE MD5 | dedup md5 | rename md5 as MD5 | fields MD5] | eval CallingProcess=coalesce(Process,CreatorProcessName) | eventstats dc(host) as hostCount by MD5 | dedup MD5 | table hostCount, CallingProcess, BaseFileName, CompanyName, InternalName, FileDescription, Signed, FileVersion, ProductVersion, Zone | sort -hostCount
- `wlslogs`
- A macro that limits the logs to indexes where WLS data is contained
- NewHash=True
- Only logs where NewHash is set to True
- [ search sourcetype=bro_files PE MD5 | dedup md5 | rename md5 as MD5 | fields MD5]
- sourcetype=bro_files
- Only “bro_files” data
- PE MD5
- Bro logs containing the keywords “PE” and “MD5”
- dedup md5
- Remove duplicate hashes
- rename md5 as MD5
- Splunk is case-sensitive for field names, so rename the Bro field to what WLS uses
- fields MD5
- Only output the MD5 field(s)
- sourcetype=bro_files
- eval CallingProcess=coalesce(Process,CreatorProcessName)
- The fields differ slightly in the logs where we might find an MD5 (new process vs. loading DLL); this will return the first non-null of Process and CreatorProcessName
- eventstats dc(host) as hostCount by MD5
- Count the distinct number of hosts where this MD5 has been seen
- dedup MD5
- Remove duplicate WLS MD5 logs
- table hostCount, CallingProcess, BaseFileName, CompanyName, InternalName, FileDescription, Signed, FileVersion, ProductVersion, Zone
- Make a table of the useful fields
- sort -hostCount
- Sort by hostCount in decending order
Example output
hostCount | CallingProcess | BaseFileName | CompanyName | InternalName | FileDescription | Signed | FileVersion | ProductVersion | Zone |
124 | GoogleUpdate | 44.0.2403.89_43.0.2357.134_chrome_updater.exe | True | 0 | |||||
31 | GoogleUpdate | GoogleUpdateSetup.exe | Google Inc. | Google Update Setup | Google Update Setup | True | 1.3.28.1 | 1.3.28.1 | 0 |
1 | GoogleUpdate | 44.0.2403.89_43.0.2357.134_chrome64_updater.exe | True | 0 | |||||
1 | chrome | gimp-2.8.14-setup-1.exe | The GIMP Team | GIMP Setup | True | 2.8.14 | 2.8.14 | 3 | |
1 | vlc | vlc-2.2.1-win32.exe | True | 0 | |||||
1 | iexplore | Silverlight_x64.exe | Microsoft Corporation | SFXCAB.EXE | Self-Extracting Cabinet | True | 5.1.40620.0 | 5.5.0031.0 | 0 |
1 | chrome | chromeinstall-8u51.exe | Oracle Corporation | Setup Launcher | Java Platform SE binary | True | 8.0.510.16 | 8.0.510.16 | 3 |
For more information on WLS, click “WLS Information” at the top, or here: WLS Information
If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.