Team: Huntress EDR
Product: SentinelOne
Environment: SentinelOne Enhanced Ransomware Detection
Summary: If you see long randomly named files appearing in C: and C:\Users Drives, you may have SentinelOne Enhanced Ransom Detection enabled.
Are you seeing weird file names randomly pop up in your C: drive?
You most likely have SentinelOne and are utilizing the Enhanced Ransomware Detection feature.
The Agent drops decoy files with open read/write permissions, which are used for detection purposes. Before Agent version 21.6, the decoy files were created in folders %user%\Documents\afterSentDocuments and %user%\Appdata\Local\afterSentDocuments).
From Agent version 21.6, the Agent generates decoy files in new decoy folders, under C:\, C:\Users, and shared folders. The names of the new decoy folders begin with the $ character and are followed by 32 random hex characters.
Examples:
C:\$A82346DA61A8DCD8697CF45427579C4DC\decoyFile1
C:\Users\$23A8ACD46DA68D1F498697CC4DC542757\decoyFile2