Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

Suspicious Creation TXT File in User Desktop

Detects creation of .txt files in user desktop folders via cmd.exe. This behavior may indicate ransomware deploying ransom notes, but can also occur during legitimate administrative tasks. Analysts should investigate for suspicious filenames (e.g., "RANSOM", "DECRYPT", "READ_ME"), bulk file creation patterns, or concurrent encryption activity to determine if this is part of a ransomware attack.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sun Dec 26Updated Fri Jan 09caf02a0a-1e1c-4552-9b48-5e070bd88d11windows
Hunting Hypothesis
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '\cmd.exe'
        TargetFilename|contains|all:
            - '\Users\'
            - '\Desktop\'
        TargetFilename|endswith: '.txt'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
caf02a0a-1e1c-4552-9b48-5e070bd88d11
Status
test
Level
medium
Type
Threat Hunt
Created
Sun Dec 26
Modified
Fri Jan 09
Author
François Hubaut
Path
rules-threat-hunting/windows/file/file_event/file_event_win_susp_desktop_txt.yml
Raw Tags
attack.impactattack.t1486detection.threat-hunting
View on GitHub