Try in Splunk Security Cloud


This search is to detect a suspicious file creation namely passff.tar and cookie.tar. This files are possible archived of stolen browser information like history and cookies in a compromised machine with IcedID.

  • Type: Hunting
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-07-30
  • Author: Teoderick Contreras, Splunk
  • ID: 0db4da70-f14b-11eb-8043-acde48001122


ID Technique Tactic
T1560.001 Archive via Utility Collection
T1560 Archive Collected Data Collection
`sysmon` EventCode= 11  (TargetFilename = "*\\passff.tar" OR TargetFilename = "*\\cookie.tar") 
|stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id  process_name Computer 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `icedid_exfiltrated_archived_file_creation_filter`

Associated Analytic Story

How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • TargetFilename
  • EventCode
  • process_id
  • process_name
  • Computer

Kill Chain Phase

  • Exploitation

Known False Positives



Risk Score Impact Confidence Message
72.0 80 90 process $SourceImage$ create a file $TargetImage$ in host $Computer$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1