File Deleted Via Sysinternals SDelete
Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
Sigma rule (View on GitHub)
1title: File Deleted Via Sysinternals SDelete
2id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
3status: test
4description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
5references:
6 - https://github.com/OTRF/detection-hackathon-apt29/issues/9
7 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
9date: 2020/05/02
10modified: 2023/02/15
11tags:
12 - attack.defense_evasion
13 - attack.t1070.004
14logsource:
15 product: windows
16 category: file_delete
17detection:
18 selection:
19 TargetFilename|endswith:
20 - '.AAA'
21 - '.ZZZ'
22 filter_wireshark:
23 TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa'
24 condition: selection and not 1 of filter_*
25falsepositives:
26 - Legitime usage of SDelete
27level: medium
References
Related rules
- TeamViewer Log File Deleted
- Cisco File Deletion
- Secure Deletion with SDelete
- File Deletion
- Powerup Write Hijack DLL