Sysmon Blocked File Shredding

Aug 12, 2024 · attack.defense-evasion ·

Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.

Sigma rule (View on GitHub)

 1title: Sysmon Blocked File Shredding
 2id: c3e5c1b1-45e9-4632-b242-27939c170239
 3status: test
 4description: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
 5references:
 6    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
 7author: frack113
 8date: 2023-07-20
 9tags:
10    - attack.defense-evasion
11logsource:
12    product: windows
13    service: sysmon
14detection:
15    selection:
16        EventID: 28  # this is fine, we want to match any FileBlockShredding event
17    condition: selection
18falsepositives:
19    - Unlikely
20level: high

References

Sysmon - Sysinternals

Monitors and reports key system activity via the Windows event log.

Read More

Related rules

AD Object WriteDAC Access
ADS Zone.Identifier Deleted By Uncommon Application
AMSI Bypass Pattern Assembly GetType
APT PRIVATELOG Image Load Pattern
APT27 - Emissary Panda Activity

Sysmon Blocked File Shredding

Sigma rule (View on GitHub)

References

Sysmon - Sysinternals

Related rules