type: leaky name: crowdsecurity/sysmon-pid-bad-ext description: "Detect files created with common ransomware file extensions" filter: | evt.Meta.service == 'sysmon' && evt.Parsed.EventID in ['11'] && any(File('ransom_ext.txt'), { Lower(evt.Parsed.TargetFilename) endsWith Lower(#)}) #Lower(evt.Parsed.TargetFilename) endsWith '.enc' capacity: 5 groupby: evt.Parsed.ProcessId blackhole: 1m leakspeed: "2s" labels: type: file-bf remediation: true os: windows scope: type: pid expression: evt.Parsed.ProcessId data: - source_url: https://raw.githubusercontent.com/LaurenceJJones/crowdsec-poc-oct-15/main/ransom_ext.txt dest_file: ransom_ext.txt type: string