EXPLORE
Sign In
← Back to Explore
sigmalowHunting

Notepad Password Files Discovery

Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.

MITRE ATT&CK

T1083
discovery

Detection Query

selection:
  ParentImage|endswith: \explorer.exe
  Image|endswith: \notepad.exe
  CommandLine|endswith:
    - password*.txt
    - password*.csv
    - password*.doc
    - password*.xls
condition: selection

Author

The DFIR Report

Created

2025-02-21

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.discoveryattack.t1083
Raw Content
title: Notepad Password Files Discovery
id: 3b4e950b-a3ea-44d3-877e-432071990709
status: experimental
description: Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
references:
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
    - https://intel.thedfirreport.com/eventReports/view/57  # Private Report
author: 'The DFIR Report'
tags:
    - attack.discovery
    - attack.t1083
date: 2025-02-21
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith: '\notepad.exe'
        CommandLine|endswith:
        # Note: Commandline to contain a file with the string password and a specific extension
            - 'password*.txt'
            - 'password*.csv'
            - 'password*.doc'
            - 'password*.xls'
    condition: selection
falsepositives:
    - Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further.
level: low