The hypothesis is that an adversary is using the creation of a suspicious TXT file on a user’s Desktop as part of a ransomware attack to establish persistence or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of ransomware activity and prevent data loss.
Detection Rule
title: Suspicious Creation TXT File in User Desktop
id: caf02a0a-1e1c-4552-9b48-5e070bd88d11
status: test
description: Ransomware create txt file in the user Desktop
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note
author: frack113
date: 2021-12-26
tags:
- attack.impact
- attack.t1486
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\cmd.exe'
TargetFilename|contains|all:
- '\Users\'
- '\Desktop\'
TargetFilename|endswith: '.txt'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFilePath endswith "\\cmd.exe" and (TargetFileName contains "\\Users\\" and TargetFileName contains "\\Desktop\\") and TargetFileName endswith ".txt"Scenario: System Maintenance Tool Creates Temp TXT File
Description: A legitimate system maintenance tool (e.g., CCleaner, Disk Cleanup) may create temporary .txt files during cleanup or log generation on the user’s Desktop.
Filter/Exclusion: Check the file creation process using file or process fields to exclude files created by known maintenance tools or processes like ccleaner.exe, cleanmgr.exe, or diskcleanup.exe.
Scenario: Scheduled Job Generates Log File on Desktop
Description: A scheduled task (e.g., Task Scheduler) may generate a .txt log file on the Desktop as part of a routine system monitoring or reporting process.
Filter/Exclusion: Use a filter on the process.name field to exclude known scheduled task processes like schtasks.exe or taskhost.exe, or check the event_id or log_name for system or application logs.
Scenario: User Manually Creates TXT File for Notes
Description: A user may manually create a .txt file on their Desktop for personal notes or documentation.
Filter/Exclusion: Filter by user.name to exclude files created by non-malicious users, or use a file.name pattern to exclude files with specific naming conventions (e.g., notes.txt, todo.txt).
Scenario: Admin Task for Configuration Backup
Description: An administrator may run a script or tool (e.g., PowerShell, Batch File) to back up configuration files to the Desktop, which may result in .txt files being created.
Filter/Exclusion: Filter by process.name to exclude administrative tools like powershell.exe or cmd.exe, or check the process.parent.name for known admin tools or services.
**Scenario