Try in Splunk Security Cloud


The search looks for file modifications with extensions commonly used by Ransomware

  • Type: Hunting
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-11-09
  • Author: David Dorsey, Splunk
  • ID: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec




ID Technique Tactic
T1485 Data Destruction Impact
Kill Chain Phase
  • Actions on Objectives
  • PR.PT
  • DE.CM
  • CIS 8
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)`
| rex field=file_name "(?<file_extension>\.[^\.]+)$" 
| `ransomware_extensions` 
| `common_ransomware_extensions_filter`


The SPL above uses the following Macros:

:information_source: common_ransomware_extensions_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • Filesystem.user
  • Filesystem.dest
  • Filesystem.file_path
  • Filesystem.file_name

How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
This search produces fields (query,query_length,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n1. Label: Name, Field: Name\

  1. \
  2. Label: File Extension, Field: file_extension
    Detailed documentation on how to create a new field within Incident Review may be found here:

    Known False Positives

    It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.

Associated Analytic Story


Risk Score Impact Confidence Message
90.0 90 100 A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware file extension and should be reviewed immediately.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 4