Skip to content
Threat Feed
high advisory

Renamed Sysinternals Sdelete Utility Execution

The execution of a renamed Microsoft Sysinternals Sdelete utility is a highly suspicious technique often employed by adversaries to destroy data on Windows systems, leading to severe impact on system integrity and data availability.

The Microsoft Sysinternals Sdelete utility is a legitimate command-line tool designed to securely delete files and cleanse free space, often used by system administrators for data hygiene. However, adversaries frequently rename legitimate system utilities, including Sdelete (e.g., to clean.exe or eraser.exe), to evade detection by security products that might allow known binaries to run unchallenged. This tactic is a strong indicator of malicious activity, as legitimate administrators rarely rename such tools for operational use. The detection of a renamed sdelete.exe suggests an attacker is likely attempting to perform data destruction (Wiper, Ransomware) or obfuscate their activities on a compromised Windows endpoint. This technique leverages a living-off-the-land binary (LOLBIN) for its destructive capabilities, making it a critical behavior to detect.

Impact

Successful execution of a renamed Sdelete utility can lead to irreversible data destruction across the targeted system, including files, free space, and potentially entire volumes, depending on the parameters used. This directly impacts data availability and system integrity, potentially rendering systems inoperable and causing significant operational disruption. It is a common technique used in the final stages of destructive cyberattacks, such as wiper malware or ransomware (after data exfiltration), aiming to maximize damage or hinder forensic analysis. Organizations could face severe data loss, extended recovery times, and substantial financial costs if such an attack is successful.

Recommendation

  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect renamed sdelete.exe execution.
  • Enable Sysmon process-creation logging to ensure OriginalFileName and Image fields are captured for the detection rule.
  • Investigate any alerts generated by the "Detect Renamed Sysinternals Sdelete Execution" rule as they are highly indicative of malicious activity.

Detection coverage 1

Detect Renamed Sysinternals Sdelete Execution

high

Detects the execution of the Microsoft Sysinternals Sdelete utility when its executable has been renamed, a common technique for defense evasion prior to data destruction.

sigma tactics: defense_evasion, impact techniques: T1036.003, T1485 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →