title: Secure Deletion with SDelete
author: Thomas Patzke
date: 2017/06/14
description: Detects renaming of file while deletion with SDelete tool.
detection:
  SELECTION_1:
    EventID: 4656
  SELECTION_2:
    EventID: 4663
  SELECTION_3:
    EventID: 4658
  SELECTION_4:
    ObjectName:
    - '*.AAA'
    - '*.ZZZ'
  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- Legitimate usage of SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
level: medium
logsource:
  product: windows
  service: security
modified: 2020/08/02
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete
status: experimental
tags:
- attack.impact
- attack.defense_evasion
- attack.t1107
- attack.t1070.004
- attack.t1066
- attack.t1027.005
- attack.t1485
- attack.t1553.002
- attack.s0195
ruletype: SIGMA