Share via

Help figure out which user created a file

Anonymous
2023-10-04T13:54:58+00:00

A note placed on the desktop of any user that log in automatedly. After troubleshooting, A .bat ( batch file ) script was was located in the root of the OS drive which is triggering the creation of the ransom note . We inspected the content of the script and can tell that it is generating the Readme text tiles that are generated on user logon. Here is the content of the script .

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

A batch file (1.bat) was dropped on the DC and a few other servers on 9/22. 1.bat generates .txt files that are ransom notes but does not encrypt files.

Windows for business Windows Server Directory services Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-10-09T06:57:20+00:00

    Hello Deepak Kumar_845,

    Thank you for posting in Microsoft Community forum.

    Based on the description above, I understand you want to know who created the A.bat file on all the machines.

    For auditing who create files or sub folders on their parent folder, we need two steps to configure:

    1.We need to configure audit policy (below) to apply to the machines.

    Computer Configuration\Windows Settings\Security Settings\local policies\audit policy\audit object access ==》Success and Failure

    Or

    Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration\System Audit Policies > Object Access > Audit File System ==》Success and Failure

    Note:

    If you have never configured any advanced audit policy before, then you configure the legacy audit policy.

    If you have configured any advanced audit policy before, then you have configured the advanced audit policy.

    Once you configured any one advanced audit policies, then all legacy audit policies will be overwritten by default.

    2.Configure auditing permissions to the file's parent folder.

    Add one auditing entry under Auditing tab.
    Principle: Everyone.
    Type: All
    Applies to: This folder, subfolders and files.
    Check full control for basic permissions and advanced permissions.

    Image

    Image

    You can do a similar test for creating a file/folder in test lab and check the event ID.

    Before the file A.bat generated, have you enabled audit group policy on Domain Controllers or/and domain machines that the users logged on and configured auditing permissions to the file's (A.bat) parent folder.

    If no, there is no corresponding event ID generated when A.bat creation.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments