Sigma rules for SDelete
4 rules · scoped to tool · back to SDelete
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Renamed Sysinternals Sdelete Execution
id: c1d867fe-8d95-4487-aab4-e53f2d339f90
status: test
description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
author: Florian Roth (Nextron Systems)
date: 2022-09-06
modified: 2023-02-03
tags:
- attack.impact
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'sdelete.exe'
filter:
Image|endswith:
- '\sdelete.exe'
- '\sdelete64.exe'
condition: selection and not filter
falsepositives:
- System administrator usage
level: high
title: Potential File Overwrite Via Sysinternals SDelete
id: a4824fca-976f-4964-b334-0621379e84c4
status: test
description: Detects the use of SDelete to erase a file not the free space
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
author: frack113
date: 2021-06-03
modified: 2023-02-28
tags:
- attack.impact
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: sdelete.exe
filter:
CommandLine|contains:
- ' -h'
- ' -c'
- ' -z'
- ' /\?'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: File Deleted Via Sysinternals SDelete
id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
status: test
description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/9
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|endswith:
- '.AAA'
- '.ZZZ'
filter_wireshark:
TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate usage
level: medium
title: Potential Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: test
description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
author: Thomas Patzke
date: 2017-06-14
modified: 2024-12-13
tags:
- attack.impact
- attack.stealth
- attack.defense-impairment
- attack.t1070.004
- attack.t1027.005
- attack.t1485
- attack.t1553.002
- attack.s0195
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
- 4658
ObjectName|endswith:
- '.AAA'
- '.ZZZ'
condition: selection
falsepositives:
- Legitimate usage of SDelete
- Files that are interacted with that have these extensions legitimately
level: medium