Potential Secure Deletion with SDelete
Detects files that have extensions commonly seen while SDelete is used to wipe files.
Sigma rule (View on GitHub)
1title: Potential Secure Deletion with SDelete
2id: 39a80702-d7ca-4a83-b776-525b1f86a36d
3status: test
4description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
5references:
6 - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
7 - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
8 - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
9author: Thomas Patzke
10date: 2017-06-14
11modified: 2024-12-13
12tags:
13 - attack.impact
14 - attack.defense-evasion
15 - attack.t1070.004
16 - attack.t1027.005
17 - attack.t1485
18 - attack.t1553.002
19 - attack.s0195
20logsource:
21 product: windows
22 service: security
23detection:
24 selection:
25 EventID:
26 - 4656
27 - 4663
28 - 4658
29 ObjectName|endswith:
30 - '.AAA'
31 - '.ZZZ'
32 condition: selection
33falsepositives:
34 - Legitimate usage of SDelete
35 - Files that are interacted with that have these extensions legitimately
36level: medium
References
-
Detecting Lateral Movement through Tracking Event Logs Many recent cyberattacks have been confirmed in which malware infects a host and in turn spreads to other hosts and internal servers, resultin...
Read More -
Securely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure delete program.
Read More
Related rules
- Cisco File Deletion
- Fsutil Suspicious Invocation
- Potential BlackByte Ransomware Activity
- Potentially Suspicious Desktop Background Change Using Reg.EXE
- Potentially Suspicious Desktop Background Change Via Registry