Techniques
Sample rules
Common Ransomware Notes
- source: splunk
- technicques:
- T1485
Description
The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `ransomware_notes`
| `common_ransomware_notes_filter`