title: Sysinternals SDelete File Deletion
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection to trigger for the deletion of files by Sysinternals
    SDelete. It looks for the common name pattern used to rename files.
detection:
    SELECTION_1:
        EventID: 23
    SELECTION_2:
        EventID: 26
    SELECTION_3:
        TargetFilename: '*.AAA'
    SELECTION_4:
        TargetFilename: '*.ZZZ'
    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4))
falsepositives:
- Legitime usage of SDelete
id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
level: medium
logsource:
    category: file_delete
    product: windows
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/9
- https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.004
yml_filename: sysmon_sysinternals_sdelete_file_deletion.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_delete