Adversaries may be using SDelete to securely delete files and evade standard detection methods by wiping data before exfiltration or deletion. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data sanitization or exfiltration activities that could indicate advanced persistent threats.
Detection Rule
title: Potential Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: test
description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
author: Thomas Patzke
date: 2017-06-14
modified: 2024-12-13
tags:
- attack.impact
- attack.defense-evasion
- attack.t1070.004
- attack.t1027.005
- attack.t1485
- attack.t1553.002
- attack.s0195
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
- 4658
ObjectName|endswith:
- '.AAA'
- '.ZZZ'
condition: selection
falsepositives:
- Legitimate usage of SDelete
- Files that are interacted with that have these extensions legitimately
level: medium
imRegistry
| where RegistryKey endswith ".AAA" or RegistryKey endswith ".ZZZ"Scenario: Scheduled Job for Secure Data Erasure
Description: A system administrator runs a scheduled job using SDelete to securely delete temporary files or logs from a server.
Filter/Exclusion: Exclude files with the .sdelete or .del extension that are part of a known secure deletion job, or filter by the process name sdelete.exe.
Scenario: Admin Task to Wipe Unused Disk Space
Description: An IT admin uses SDelete to wipe unused disk space on a server to free up storage and ensure data is irrecoverable.
Filter/Exclusion: Exclude files that are part of a disk wipe task by checking the command line arguments for sdelete.exe or using a custom field like process.parent_process to identify administrative tasks.
Scenario: Secure Deletion of Sensitive Logs
Description: A security team uses SDelete to securely delete sensitive log files after an investigation to prevent data leakage.
Filter/Exclusion: Exclude files that are part of a known log cleanup process by checking the file path or using a custom tag like log_cleanup.
Scenario: Testing SDelete on a Sandbox Environment
Description: A red team or security analyst tests the SDelete tool in a sandboxed environment to verify its secure deletion capabilities.
Filter/Exclusion: Exclude files from sandboxed environments by checking the process.machine_id or process.container_id field.
Scenario: Secure Deletion of Temporary Files by a Service
Description: A service running under a system account uses SDelete to securely delete temporary files that are no longer needed.
Filter/Exclusion: Exclude files deleted by system services by checking the process.parent_process or process.user field to identify system-level processes.