File Deleted Via Sysinternals SDelete
Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
Sigma rule (View on GitHub)
1title: File Deleted Via Sysinternals SDelete
2id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
3status: test
4description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
5references:
6 - https://github.com/OTRF/detection-hackathon-apt29/issues/9
7 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
9date: 2020-05-02
10modified: 2023-02-15
11tags:
12 - attack.defense-evasion
13 - attack.t1070.004
14logsource:
15 product: windows
16 category: file_delete
17detection:
18 selection:
19 TargetFilename|endswith:
20 - '.AAA'
21 - '.ZZZ'
22 filter_wireshark:
23 TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa'
24 condition: selection and not 1 of filter_*
25falsepositives:
26 - Legitime usage of SDelete
27level: medium
References
-
The attacker then enumerates running processes (T1057) to discover/terminate the initial access from Step 1 (Pupy Agent) before deleting various files (T1107) associated with that access.
Read More -
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. - OTRF/ThreatHunter-Playbook
Read More
Related rules
- ADS Zone.Identifier Deleted By Uncommon Application
- Backup Catalog Deleted
- Cisco File Deletion
- Directory Removal Via Rmdir
- File Deletion