File Deleted Via Sysinternals SDelete

Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.

Sigma rule (View on GitHub)

 1title: File Deleted Via Sysinternals SDelete
 2id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
 3status: test
 4description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
 5references:
 6    - https://github.com/OTRF/detection-hackathon-apt29/issues/9
 7    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
 8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 9date: 2020/05/02
10modified: 2023/02/15
11tags:
12    - attack.defense_evasion
13    - attack.t1070.004
14logsource:
15    product: windows
16    category: file_delete
17detection:
18    selection:
19        TargetFilename|endswith:
20            - '.AAA'
21            - '.ZZZ'
22    filter_wireshark:
23        TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa'
24    condition: selection and not 1 of filter_*
25falsepositives:
26    - Legitime usage of SDelete
27level: medium

References

Related rules

to-top