Category Archives: Uncategorized

Monitoring downloaded file execution: WLS + Bro + Splunk


Bro does awesome things with network data. One of those things is performing an analysis of files on the wire, including hashing. WLS does hashing of executed files and loaded DLLs, and tracks each hash that has been seen on the host, setting “NewHash=True” for the first instance.

I wanted to track PE files that have been seen on the wire (downloaded) then executed for the first time with some basic statistics. The resulting Splunk search looks for all Bro file analysis logs of PE files that contain an MD5, matches that with WLS logs containing the same MD5, does a distinct host count, and reports the unique hash data with the distinct host count. If you have Bro monitoring internal and external traffic you’ll also see things such as managed anti-virus updates or patches. The WLS file metadata optionally includes the Zone field, which can come in handy for differentiating the source of the files.

Internet Explorer Zone Number Mapping

Value Setting
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone

Here’s the current Splunk search I’m using for alerting:

`wlslogs` NewHash=True [ search sourcetype=bro_files PE MD5 | dedup md5 | rename md5 as MD5 | fields MD5] | eval CallingProcess=coalesce(Process,CreatorProcessName) | eventstats dc(host) as hostCount by MD5 | dedup MD5 | table hostCount, CallingProcess, BaseFileName, CompanyName, InternalName, FileDescription, Signed, FileVersion, ProductVersion, Zone | sort -hostCount

  • `wlslogs`
    • A macro that limits the logs to indexes where WLS data is contained
  • NewHash=True
    • Only logs where NewHash is set to True
  • [ search sourcetype=bro_files PE MD5 | dedup md5 | rename md5 as MD5 | fields MD5]
    • sourcetype=bro_files
      • Only “bro_files” data
    • PE MD5
      • Bro logs containing the keywords “PE” and “MD5”
    • dedup md5
      • Remove duplicate hashes
    • rename md5 as MD5
      • Splunk is case-sensitive for field names, so rename the Bro field to what WLS uses
    • fields MD5
      • Only output the MD5 field(s)
  • eval CallingProcess=coalesce(Process,CreatorProcessName)
    • The fields differ slightly in the logs where we might find an MD5 (new process vs. loading DLL); this will return the first non-null of Process and CreatorProcessName
  • eventstats dc(host) as hostCount by MD5
    • Count the distinct number of hosts where this MD5 has been seen
  • dedup MD5
    • Remove duplicate WLS MD5 logs
  • table hostCount, CallingProcess, BaseFileName, CompanyName, InternalName, FileDescription, Signed, FileVersion, ProductVersion, Zone
    • Make a table of the useful fields
  • sort -hostCount
    • Sort by hostCount in decending order

Example output

hostCount CallingProcess BaseFileName CompanyName InternalName FileDescription Signed FileVersion ProductVersion Zone
124 GoogleUpdate 44.0.2403.89_43.0.2357.134_chrome_updater.exe True 0
31 GoogleUpdate GoogleUpdateSetup.exe Google Inc. Google Update Setup Google Update Setup True 1.3.28.1 1.3.28.1 0
1 GoogleUpdate 44.0.2403.89_43.0.2357.134_chrome64_updater.exe True 0
1 chrome gimp-2.8.14-setup-1.exe The GIMP Team GIMP Setup True 2.8.14 2.8.14 3
1 vlc vlc-2.2.1-win32.exe True 0
1 iexplore Silverlight_x64.exe Microsoft Corporation SFXCAB.EXE Self-Extracting Cabinet True 5.1.40620.0 5.5.0031.0 0
1 chrome chromeinstall-8u51.exe Oracle Corporation Setup Launcher Java Platform SE binary True 8.0.510.16 8.0.510.16 3

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.