Skip to content
Threat Feed
low advisory

Potential Secure File Deletion via SDelete Utility

This rule detects file name patterns generated by the use of Sysinternals SDelete utility, which attackers may abuse to delete forensic indicators and hinder recovery efforts after ransomware or data theft.

The Sysinternals SDelete utility is a legitimate tool used for securely deleting files by overwriting and renaming them multiple times, making recovery difficult. Adversaries may abuse SDelete as part of their post-exploitation activities to remove forensic artifacts, destroy data, or hinder incident response efforts following a ransomware attack or data exfiltration. This rule focuses on detecting specific file name patterns created by SDelete during its secure deletion process, specifically files renamed with the "*AAA.AAA" pattern. The rule aims to identify potential misuse of SDelete for malicious purposes, enhancing the detection of anti-forensic techniques employed by attackers on Windows systems.

Attack Chain

  1. Initial access is achieved through an existing compromise or via other means.
  2. The attacker gains execution on the target system with sufficient privileges to delete files.
  3. SDelete utility is executed on the target system. The attacker renames the targeted files.
  4. SDelete overwrites the targeted file with random data multiple times.
  5. SDelete renames the file multiple times, often using patterns like "*AAA.AAA".
  6. The original file is unlinked from the file system, effectively deleting it.
  7. Forensic artifacts related to the deleted files are removed or significantly reduced, hindering investigation.
  8. The attacker achieves their objective of covering their tracks and impeding data recovery efforts.

Impact

Successful exploitation allows attackers to remove forensic evidence and hinder incident response efforts. While the rule itself has low severity due to the legitimate uses of SDelete, the activity could indicate malicious intent if coupled with other suspicious behaviors. The impact can range from making incident investigation more difficult to permanently destroying sensitive data, depending on the attacker's overall objectives and the data targeted for deletion.

Recommendation

  • Deploy the Sigma rule "Potential Secure File Deletion via SDelete Utility" to your SIEM to detect SDelete file renaming patterns (rule.query).
  • Investigate any alerts generated by the Sigma rule by examining the process execution chain and command-line arguments to determine the context of the file deletion (rule.query).
  • Correlate alerts with other suspicious activity on the host, such as ransomware execution or data exfiltration, to identify potential malicious use of SDelete (rule.query).
  • Enable file event logging in your environment to ensure the necessary data is available for detecting SDelete activity (logsource.category).
  • Implement restrictions on the usage of SDelete or similar tools in sensitive environments to reduce the risk of malicious use.

Detection coverage 2

Potential Secure File Deletion via SDelete Utility

low

Detects file name patterns generated by the use of Sysinternals SDelete utility, indicating potential secure file deletion activity.

sigma tactics: defense_evasion, impact techniques: T1070.004 sources: file_event, windows

Potential SDelete Execution

low

Detects execution of SDelete.exe, which could indicate attempts to securely delete files and hinder forensic analysis.

sigma tactics: defense_evasion, impact techniques: T1070.004 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →