Team: Huntress EDR
Environment: SentinelOne Enhanced Ransomware Detection
Summary: If you see long randomly named files appearing in C: and C:\Users Drives, you may have SentinelOne Enhanced Ransom Detection enabled.
Are you seeing weird file names randomly pop up in your C: drive?
You most likely have SentinelOne and are utilizing the Enhanced Ransomware Detection feature.
The Agent drops decoy files with open read/write permissions, which are used for detection purposes. Before Agent version 21.6, the decoy files were created in folders %user%\Documents\afterSentDocuments and %user%\Appdata\Local\afterSentDocuments).
From Agent version 21.6, the Agent generates decoy files in new decoy folders, under C:\, C:\Users, and shared folders. The names of the new decoy folders begin with the $ character and are followed by 32 random hex characters.