Detectionhightest

Suspicious Creation TXT File in User Desktop

Ransomware create txt file in the user Desktop

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sun Dec 26caf02a0a-1e1c-4552-9b48-5e070bd88d11windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image|endswith: '\cmd.exe'
        TargetFilename|contains|all:
            - '\Users\'
            - '\Desktop\'
        TargetFilename|endswith: '.txt'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0040 · Impact

Techniques

T1486 · Data Encrypted for Impact

Rule Metadata

Rule ID

caf02a0a-1e1c-4552-9b48-5e070bd88d11

Status

test

Level

high

Type

Detection

Created

Sun Dec 26

Author

François Hubaut

Path

rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml

Raw Tags

attack.impactattack.t1486

View on GitHub