security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5125 from @randomaccess3 - Update Potential Secure Deletion with SDelete

Browse Source 
update: Potential Secure Deletion with SDelete - Enhance metadata

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
This commit is contained in:
Phill Moore
2024-12-15 06:55:43 +11:00
committed by GitHub
parent 9b67acfcf6
commit a290d22143
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/security/win_security_susp_sdelete.yml → rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml
+4 -3
View File
@@ -1,14 +1,14 @@
title: Secure Deletion with SDelete
title: Potential Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: test
description: Detects renaming of file while deletion with SDelete tool.
description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
author: Thomas Patzke
date: 2017-06-14
modified: 2021-11-27
modified: 2024-12-13
tags:
- attack.impact
- attack.defense-evasion
@@ -32,4 +32,5 @@ detection:
condition: selection
falsepositives:
- Legitimate usage of SDelete
- Files that are interacted with that have these extensions legitimately
level: medium