detection.wiki

Detection rules › Sigma

Potential Secure Deletion with SDelete

Severity
medium
Author
Thomas Patzke
Source
upstream

Detects files that have extensions commonly seen while SDelete is used to wipe files.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1027.005 Obfuscated Files or Information: Indicator Removal from Tools, T1070.004 Indicator Removal: File Deletion, T1553.002 Subvert Trust Controls: Code Signing
ImpactT1485 Data Destruction

Event coverage

ProviderEvent IDTitle
Security-Auditing4656A handle to an object was requested.
Security-Auditing4658The handle to an object was closed.
Security-Auditing4663An attempt was made to access an object.

Stages and Predicates

Stage 1: selection

or:
ObjectName|endswith: .AAA
ObjectName|endswith: .ZZZ

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ObjectNameends_with
  • .AAA
  • .ZZZ

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.