Skip to content
Threat Feed
low advisory

Potential Secure File Deletion via SDelete Utility

This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.

The Sysinternals SDelete utility is a legitimate tool developed by Microsoft for securely deleting files by overwriting and renaming them multiple times. While intended for secure data disposal, adversaries can abuse SDelete to remove forensic artifacts, destroy evidence of their activities, and impede data recovery efforts after a successful ransomware attack or data theft. This activity can be used as a post-exploitation technique. This detection rule focuses on identifying file name patterns indicative of SDelete’s operation, specifically detecting files with names resembling “*AAA.AAA”. The rule is designed to work with various endpoint detection and response solutions, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and CrowdStrike.

Attack Chain

  1. The attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
  2. The attacker escalates privileges to gain the necessary permissions to delete files.
  3. The attacker deploys or utilizes an existing copy of the SDelete utility.
  4. The attacker executes SDelete against targeted files or directories.
  5. SDelete overwrites the targeted file(s) multiple times with random data.
  6. SDelete renames the file(s) multiple times, often with patterns such as “*AAA.AAA”.
  7. SDelete deletes the file(s) making recovery difficult.
  8. The attacker removes SDelete or any associated tools to further cover their tracks.

Impact

Successful exploitation of this technique can result in the permanent deletion of crucial forensic artifacts, log files, or even critical data. This can severely hinder incident response efforts, making it challenging to identify the scope of the attack, the attacker’s methods, and the compromised assets. The number of victims and affected sectors depends on the scale of the initial breach and the attacker’s objectives.

Recommendation

  • Deploy the “Potential Secure File Deletion via SDelete Utility” detection rule to your SIEM and tune for your environment.
  • Investigate any alerts generated by the detection rule, focusing on the process execution chain and identifying the user account involved.
  • Review the privileges assigned to the user account to ensure the least privilege principle is followed.
  • Enable Sysmon Event ID 11 (File Create) logging to enhance visibility into file creation events.

Detection coverage 2

Suspicious File Rename Pattern (SDelete)

low

Detects file rename patterns indicative of SDelete utility usage.

sigma tactics: defense_evasion techniques: T1070.004 sources: file_event, windows

SDelete Process Execution

medium

Detects execution of the SDelete utility by monitoring process creation events.

sigma tactics: defense_evasion techniques: T1070.004 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →