LoFP / files that are interacted with that have these extensions legitimately

Techniques

• t1027
• t1027.005
• t1070
• t1070.004
• t1485
• t1553
• t1553.002

Sample rules

Potential Secure Deletion with SDelete

• source: sigma
• technicques:
  • t1027
  • t1027.005
  • t1070
  • t1070.004
  • t1485
  • t1553
  • t1553.002

Description

Detects files that have extensions commonly seen while SDelete is used to wipe files.

Detection logic

condition: selection
selection:
  EventID:
  - 4656
  - 4663
  - 4658
  ObjectName|endswith:
  - .AAA
  - .ZZZ