Detectionmediumtest

Potential Secure Deletion with SDelete

Detects files that have extensions commonly seen while SDelete is used to wipe files.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Thomas PatzkeCreated Wed Jun 14Updated Fri Dec 1339a80702-d7ca-4a83-b776-525b1f86a36dwindows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID:
            - 4656
            - 4663
            - 4658
        ObjectName|endswith:
            - '.AAA'
            - '.ZZZ'
    condition: selection

False Positives

Legitimate usage of SDelete

Files that are interacted with that have these extensions legitimately

References

MITRE ATT&CK

Tactics

TA0040 · Impact TA0005 · Defense Evasion

Techniques

T1485 · Data Destruction

Sub-techniques

T1070.004 · File Deletion T1027.005 · Indicator Removal from Tools T1553.002 · Code Signing

Software

S0195 · S0195

Rule Metadata

Rule ID

39a80702-d7ca-4a83-b776-525b1f86a36d

Status

test

Level

medium

Type

Detection

Created

Wed Jun 14

Modified

Fri Dec 13

Author

Thomas Patzke

Path

rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml

Raw Tags

attack.impactattack.defense-evasionattack.t1070.004attack.t1027.005attack.t1485attack.t1553.002attack.s0195

View on GitHub