Notepad Password Files Discovery

Original Source: [Sigma source]

Title: Notepad Password Files Discovery
Status: experimental
Description:Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
References:
-https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
-https://intel.thedfirreport.com/eventReports/view/57
Author: The DFIR Report
Date: 2025-02-21
modified:None
Tags:

-'attack.discovery'
-'attack.t1083'

Logsource:

product: windows
category: process_creation

Detection:
selection:
ParentImage|endswith: '\explorer.exe'
Image|endswith: '\notepad.exe'
CommandLine|endswith:
-'password*.txt'
-'password*.csv'
-'password*.doc'
-'password*.xls'

condition:selection
Falsepositives:
-Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further.
Level: low

Sign Up to Personalize and Manage Your Detection

Notepad Password Files Discovery