Try in Splunk Security Cloud


The search looks for a file named "test.txt" written to the windows system directory tree, which is consistent with Samsam propagation.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2018-12-14
  • Author: Rico Valdez, Splunk
  • ID: 493a879d-519d-428f-8f57-a06a0fdc107e


ID Technique Tactic
T1486 Data Encrypted for Impact Impact

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\windows\\system32\\test.txt by Filesystem.file_path 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `samsam_test_file_write_filter`

Associated Analytic Story

How To Implement

You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Required field

  • _time
  • Filesystem.user
  • Filesystem.dest
  • Filesystem.file_name
  • Filesystem.file_path

Kill Chain Phase

  • Delivery

Known False Positives

No false positives have been identified.


Risk Score Impact Confidence Message
12.0 60 20 A samsam ransomware test file creation in $file_path$ in host $dest$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1