File Deleted via Sysinternals SDelete

    Monday, March 3, 2025 In: Threat Research Print

    Date: 03/03/2025

    Severity: Medium

    Summary

    "File Deleted via Sysinternals SDelete" refers to the process of detecting file deletions made by the Sysinternals SDelete utility. SDelete securely deletes files by overwriting them, often renaming files with a common pattern before deletion. Detection methods monitor for this renaming pattern to identify when a file is securely deleted using SDelete.

    Indicators of Compromise (IOC) List

    TargetFilename

    '.AAA'

    '.ZZZ'

    '\Wireshark\radius\dictionary.alcatel-lucent.aaa'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename in ("Windows Security") AND eventtype = "4660" AND ((objectname like ".AAA" OR objectname like ".ZZZ") OR objectname like "\Wireshark\radius\dictionary.alcatel-lucent.aaa"))

    Detection Query 2

    (technologygroup = "EDR" AND ((objectname like ".AAA" OR objectname like ".ZZZ") OR objectname like "\Wireshark\radius\dictionary.alcatel-lucent.aaa"))

    Detection Query 3

    (resourcename in ("Sysmon") AND eventtype = "23" AND ((targetfilename like ".AAA" OR targetfilename like ".ZZZ") OR targetfilename like "\Wireshark\radius\dictionary.alcatel-lucent.aaa"))

    Detection Query 4

    (technologygroup = "EDR" AND ((targetfilename like ".AAA" OR targetfilename like ".ZZZ") OR targetfilename like "\Wireshark\radius\dictionary.alcatel-lucent.aaa"))

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml


    Tags

    SigmaFile Delete

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.