Try in Splunk Security Cloud


The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-03-12
  • Author: Teoderick Contreras
  • ID: eff7919a-8330-11eb-83f8-acde48001122


ID Technique Tactic
T1486 Data Encrypted for Impact Impact
`sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") 
|bin _time span=10s 
| stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name 
| where unique_readme_path_count >= 15 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `ransomware_notes_bulk_creation_filter`

Associated Analytic Story

How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Required field

  • EventCode
  • file_name
  • _time
  • TargetFilename
  • Computer
  • Image
  • user

Kill Chain Phase

  • Obfuscation

Known False Positives



Risk Score Impact Confidence Message
81.0 90 90 A high frequency file creation of $file_name$ in different file path in host $Computer$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1