Potential File Overwrite Via Sysinternals SDelete
Detects the use of SDelete to erase a file not the free space
Sigma rule (View on GitHub)
1title: Potential File Overwrite Via Sysinternals SDelete
2id: a4824fca-976f-4964-b334-0621379e84c4
3status: test
4description: Detects the use of SDelete to erase a file not the free space
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
7author: frack113
8date: 2021/06/03
9modified: 2023/02/28
10tags:
11 - attack.impact
12 - attack.t1485
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 OriginalFileName: sdelete.exe
19 filter:
20 CommandLine|contains:
21 - ' -h'
22 - ' -c'
23 - ' -z'
24 - ' /\?'
25 condition: selection and not filter
26fields:
27 - ComputerName
28 - User
29 - CommandLine
30 - ParentCommandLine
31falsepositives:
32 - Unknown
33level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Deleted Data Overwritten Via Cipher.EXE
- Renamed Sysinternals Sdelete Execution
- DD File Overwrite
- AWS EFS Fileshare Mount Modified or Deleted
- AWS EKS Cluster Created or Deleted