false positives may occur if legitimate software or administrative tools create key files in the root directory, although this is uncommon in normal operations. filter alerts based on known approved applications.

t1486
endpoint
splunk

Techniques

T1486

Sample rules

Windows .Key File Creation in Root Directory

source: splunk
technicques:
- T1486

Description

Detects the creation of a .key file in the root directory of the system drive. This activity was seen with various ransomware before performing encryption of files.

Detection logic


| tstats `security_content_summariesonly`
count min(_time) as firstTime
      max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_name="*.key"

by Filesystem.dest Filesystem.file_create_time
   Filesystem.process_path Filesystem.process_guid
   Filesystem.process_id Filesystem.file_path
   Filesystem.action Filesystem.file_name
   Filesystem.user Filesystem.vendor_product


| `drop_dm_object_name(Filesystem)`

| where match(file_path, "^[A-Za-z]:\\\\[^\\\\]+\.key$")

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows__key_file_creation_in_root_directory_filter`