Notepad Password Files Discovery
Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
Sigma rule (View on GitHub)
1title: Notepad Password Files Discovery
2id: 3b4e950b-a3ea-44d3-877e-432071990709
3status: experimental
4description: Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
5references:
6 - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
7 - https://intel.thedfirreport.com/eventReports/view/57 # Private Report
8author: 'The DFIR Report'
9tags:
10 - attack.discovery
11 - attack.t1083
12date: 2025-02-21
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection:
18 ParentImage|endswith: '\explorer.exe'
19 Image|endswith: '\notepad.exe'
20 CommandLine|endswith:
21 # Note: Commandline to contain a file with the string password and a specific extension
22 - 'password*.txt'
23 - 'password*.csv'
24 - 'password*.doc'
25 - 'password*.xls'
26 condition: selection
27falsepositives:
28 - Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further.
29level: low
References
-
Key Takeaways The intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment.…
Read More
Related rules
- File and Directory Discovery - Linux
- HackTool - PCHunter Execution
- Shell Execution GCC - Linux
- Shell Execution via Find - Linux
- Shell Execution via Flock - Linux