| sigma |
win_susp_sdelete.yml |
title: Secure Deletion with SDelete |
DRL 1.0 |
| sigma |
win_susp_sdelete.yml |
description: Detects renaming of file while deletion with SDelete tool. |
DRL 1.0 |
| sigma |
win_susp_sdelete.yml |
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm |
DRL 1.0 |
| sigma |
win_susp_sdelete.yml |
- https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete |
DRL 1.0 |
| sigma |
win_susp_sdelete.yml |
- Legitimate usage of SDelete |
DRL 1.0 |
| sigma |
file_delete_win_sysinternals_sdelete_file_deletion.yml |
title: Sysinternals SDelete File Deletion |
DRL 1.0 |
| sigma |
file_delete_win_sysinternals_sdelete_file_deletion.yml |
description: A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files. |
DRL 1.0 |
| sigma |
file_delete_win_sysinternals_sdelete_file_deletion.yml |
- Legitime usage of SDelete |
DRL 1.0 |
| sigma |
proc_creation_win_false_sysinternalsuite.yml |
- '\sdelete.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_sdelete.yml |
title: Sysinternals SDelete Delete File |
DRL 1.0 |
| sigma |
proc_creation_win_sdelete.yml |
description: Use of SDelete to erase a file not the free space |
DRL 1.0 |
| sigma |
proc_creation_win_sdelete.yml |
OriginalFileName: sdelete.exe |
DRL 1.0 |
| sigma |
registry_event_sysinternals_sdelete_registry_keys.yml |
title: Sysinternals SDelete Registry Keys |
DRL 1.0 |
| sigma |
registry_event_sysinternals_sdelete_registry_keys.yml |
description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. |
DRL 1.0 |
| sigma |
registry_event_sysinternals_sdelete_registry_keys.yml |
TargetObject\|contains: '\Software\Sysinternals\SDelete' |
DRL 1.0 |
| malware-ioc |
misp-dukes-operation-ghost-event.json |
"description": "Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)", |
© ESET 2014-2018 |
| malware-ioc |
misp_invisimole.json |
"description": "Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)", |
© ESET 2014-2018 |
| malware-ioc |
oceanlotus-macOS.misp.event.json |
"description": "Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https:\/\/attack.mitre.org\/software\/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)", |
© ESET 2014-2018 |
| atomic-red-team |
index.md |
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1070.004.md |
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1485.md |
- Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1485.md |
## Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1485.md |
Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, “Files deleted: 1” will be displayed in |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1485.md |
| sdelete_exe | Path of sdelete executable | Path | $env:TEMP\Sdelete\sdelete.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1485.md |
Invoke-WebRequest “https://download.sysinternals.com/files/SDelete.zip” -OutFile “$env:TEMP\SDelete.zip” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1485.md |
Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1485.md |
Remove-Item $env:TEMP\SDelete.zip -Force |
MIT License. © 2018 Red Canary |