Techniques
Sample rules
File Deleted Via Sysinternals SDelete
- source: sigma
- technicques:
- t1070
- t1070.004
Description
Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
Detection logic
condition: selection and not 1 of filter_*
filter_wireshark:
TargetFilename|endswith: \Wireshark\radius\dictionary.alcatel-lucent.aaa
selection:
TargetFilename|endswith:
- .AAA
- .ZZZ