Adversaries may use Sysinternals SDelete to delete files and obscure their presence by renaming them with common patterns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or persistence tactics early.
Detection Rule
title: File Deleted Via Sysinternals SDelete
id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
status: test
description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/9
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-02-15
tags:
- attack.defense-evasion
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|endswith:
- '.AAA'
- '.ZZZ'
filter_wireshark:
TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate usage
level: medium
imFileEvent
| where (TargetFileName endswith ".AAA" or TargetFileName endswith ".ZZZ") and (not(TargetFileName endswith "\\Wireshark\\radius\\dictionary.alcatel-lucent.aaa"))Scenario: Scheduled System Cleanup Job Using SDelete
Description: A legitimate scheduled task runs SDelete to clean up temporary files or logs.
Filter/Exclusion: Exclude processes associated with known cleanup tools (e.g., cleanmgr.exe, schtasks.exe) or filter by file paths in temporary directories (e.g., C:\Windows\Temp\, C:\Users\*\AppData\Local\Temp\).
Scenario: Admin Task to Remove Old Logs
Description: An administrator uses SDelete to delete old log files as part of routine maintenance.
Filter/Exclusion: Exclude files in log directories (e.g., C:\ProgramData\*\Logs\, C:\Windows\System32\LogFiles\) or filter by user accounts with administrative privileges.
Scenario: File Deletion via PowerShell Script Using SDelete
Description: A PowerShell script calls SDelete to delete files as part of an automation process.
Filter/Exclusion: Exclude processes initiated by PowerShell scripts (e.g., powershell.exe) or filter by script paths in known automation directories (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\).
Scenario: File Deletion During System Imaging or Backup
Description: SDelete is used to delete files during a system imaging or backup process to free up space.
Filter/Exclusion: Exclude files in directories used by backup tools (e.g., C:\ProgramData\Backup\, C:\Users\*\AppData\Roaming\Backup\) or filter by process names like wbadmin.exe, vssadmin.exe.
Scenario: User-Initiated File Deletion via SDelete
Description: A user deletes a file using SDelete as part of normal file management.