Sysmon Blocked File Shredding
Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
Sigma rule (View on GitHub)
1title: Sysmon Blocked File Shredding
2id: c3e5c1b1-45e9-4632-b242-27939c170239
3status: experimental
4description: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
5references:
6 - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
7author: frack113
8date: 2023/07/20
9tags:
10 - attack.defense_evasion
11logsource:
12 product: windows
13 service: sysmon
14detection:
15 selection:
16 EventID: 28 # this is fine, we want to match any FileBlockShredding event
17 condition: selection
18falsepositives:
19 - Unlikely
20level: high
References
Related rules
- Firewall Rule Update Via Netsh.EXE
- Potential CCleanerReactivator.DLL Sideloading
- PowerShell Script Change Permission Via Set-Acl - PsScript
- PowerShell Set-Acl On Windows Folder - PsScript
- Windows Defender Definition Files Removed