← Library
sigmaDRL-1.1from SigmaHQ/sigma

File Deleted Via Sysinternals SDelete

Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1070.004
Rule sourcerules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml
title: File Deleted Via Sysinternals SDelete
id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
status: test
description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/9
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-02-15
tags:
    - attack.defense-evasion
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|endswith:
            - '.AAA'
            - '.ZZZ'
    filter_wireshark:
        TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate usage
level: medium