Techniques
Sample rules
Potential Secure Deletion with SDelete
- source: sigma
- technicques:
- t1027
- t1027.005
- t1070
- t1070.004
- t1485
- t1553
- t1553.002
Description
Detects files that have extensions commonly seen while SDelete is used to wipe files.
Detection logic
condition: selection
selection:
EventID:
- 4656
- 4663
- 4658
ObjectName|endswith:
- .AAA
- .ZZZ