frack113
32 lines
925 B
YAML
32 lines
925 B
YAML
title: Renamed Sysinternals Sdelete Usage
|
|
id: c1d867fe-8d95-4487-aab4-e53f2d339f90
|
|
status: experimental
|
|
description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
|
|
references:
|
|
- https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
|
|
author: Florian Roth
|
|
date: 2022/09/06
|
|
tags:
|
|
- attack.impact
|
|
- attack.t1485
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
OriginalFileName: 'sdelete.exe'
|
|
filter:
|
|
Image|endswith:
|
|
- '\sdelete.exe'
|
|
- '\sdelete64.exe'
|
|
condition: selection and not filter
|
|
fields:
|
|
- ComputerName
|
|
- User
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
falsepositives:
|
|
- System administrator usage
|
|
level: high
|