Sysmon Blocked File Shredding

Jul 20, 2023 · attack.defense_evasion ·

Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.

Sigma rule (View on GitHub)

 1title: Sysmon Blocked File Shredding
 2id: c3e5c1b1-45e9-4632-b242-27939c170239
 3status: experimental
 4description: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
 5references:
 6    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
 7author: frack113
 8date: 2023/07/20
 9tags:
10    - attack.defense_evasion
11logsource:
12    product: windows
13    service: sysmon
14detection:
15    selection:
16        EventID: 28  # this is fine, we want to match any FileBlockShredding event
17    condition: selection
18falsepositives:
19    - Unlikely
20level: high

References

Sysmon - Sysinternals

Monitors and reports key system activity via the Windows event log.

Read More

Related rules

Firewall Rule Update Via Netsh.EXE
Potential CCleanerReactivator.DLL Sideloading
PowerShell Script Change Permission Via Set-Acl - PsScript
PowerShell Set-Acl On Windows Folder - PsScript
Windows Defender Definition Files Removed

Sysmon Blocked File Shredding

Sigma rule (View on GitHub)

References

Sysmon - Sysinternals

Related rules