legitimate use of opening files from remote hosts by administrators or users. however, storing passwords in text readable format could potentially be a violation of the organization's policy. any match should be investigated further.

t1083
windows
sigma

Techniques

t1083

Sample rules

Notepad Password Files Discovery

source: sigma
technicques:
- t1083

Description

Detects the execution of Notepad to open a file that has the string “password” which may indicate unauthorized access to credentials or suspicious activity.

Detection logic

condition: selection
selection:
  CommandLine|endswith:
  - password*.txt
  - password*.csv
  - password*.doc
  - password*.xls
  Image|endswith: \notepad.exe
  ParentImage|endswith: \explorer.exe