heroui logo

Renamed Sysinternals Sdelete Execution

Sigma Rules

View Source
Summary
This rule is designed to detect instances where the Sysinternals utility Sdelete has been renamed and executed, an action that is generally considered inappropriate for system administrators. Such behavior may indicate malicious intent, as the renaming of administrative tools can be a tactic used by attackers to hide their activities. The detection mechanism focuses on monitoring process creation events in Windows to identify when an executable is run under different names that are not its original. Specifically, the rule looks for processes being executed with names that end with 'sdelete.exe' or 'sdelete64.exe' but are not identified as the original file by checking the `OriginalFileName` attribute. When a match occurs, it raises an alert, helping to flag potentially suspicious behavior and allowing for further investigation.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
ATT&CK Techniques
  • T1485
Created: 2022-09-06