Skip to content
Threat Feed
high advisory

Windows .Key File Creation in Root Directory

This search detects the creation of a .key file in the root directory of the system drive, an activity associated with ransomware execution before file encryption.

This detection identifies the creation of ‘.key’ files in the root directory of a Windows system drive, a behavior commonly observed during ransomware attacks. The presence of such files often precedes the encryption phase, serving as temporary storage or cryptographic keys. This activity is anomalous because legitimate software rarely creates key files directly in the root directory. The detection leverages Sysmon Event ID 11 to monitor file creation events and triggers when a ‘.key’ file is created in the root directory, potentially indicating an imminent ransomware attack. The detection is based on the Splunk ES-CU detection “Windows .Key File Creation in Root Directory” (id: 90e71722-8c0f-43b4-937a-6222325976c2, version 1, published 2026-05-05).

Attack Chain

  1. Initial access is gained through an unknown method (e.g., phishing, exploit).
  2. Malware is executed on the compromised system.
  3. The malware creates a .key file in the root directory (e.g., C:).
  4. The malware generates or retrieves encryption keys and stores them in the .key file.
  5. The malware enumerates files for encryption.
  6. The malware encrypts targeted files on the system.
  7. The original files are deleted or overwritten.
  8. A ransom note is dropped, demanding payment for decryption.

Impact

A successful attack results in the encryption of files on the compromised system, rendering them inaccessible to the user. This can lead to data loss, disruption of business operations, and financial losses due to ransom demands. The CISA alert AA22-321A highlights the severity and widespread impact of ransomware attacks, emphasizing the importance of proactive detection and prevention measures.

Recommendation

  • Enable Sysmon Event ID 11 logging to capture file creation events (data_source).
  • Deploy the Sigma rule provided to detect the creation of .key files in the root directory (rules).
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the file creation event. Filter alerts based on known approved applications to reduce false positives (known_false_positives).
  • Review and update existing ransomware incident response plans to include this specific attack vector (analytic_story).

Detection coverage 2

Detect .Key File Creation in Root Directory

high

Detects the creation of a .key file in the root directory, often associated with ransomware.

sigma tactics: impact techniques: T1486 sources: file_event, windows

Detect .Key File Creation by Unusual Process

medium

Detects creation of .key files in root directory by processes that are not commonly associated with file creation in root.

sigma tactics: impact techniques: T1486 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →