Suspicious Creation TXT File in User Desktop
Ransomware create txt file in the user Desktop
Sigma rule (View on GitHub)
1title: Suspicious Creation TXT File in User Desktop
2id: caf02a0a-1e1c-4552-9b48-5e070bd88d11
3status: test
4description: Ransomware create txt file in the user Desktop
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note
7author: frack113
8date: 2021-12-26
9tags:
10 - attack.impact
11 - attack.t1486
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 Image|endswith: '\cmd.exe'
18 TargetFilename|contains|all:
19 - '\Users\'
20 - '\Desktop\'
21 TargetFilename|endswith: '.txt'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- AWS EC2 Disable EBS Encryption
- BlueSky Ransomware Artefacts
- LockerGoga Ransomware Activity
- Microsoft 365 - Potential Ransomware Activity
- Potential Conti Ransomware Activity