Merge PR #5125 from @randomaccess3 - Update `Potential Secure Deletio…

…n with SDelete` update: Potential Secure Deletion with SDelete - Enhance metadata --------- Co-authored-by: Nasreddine Bencherchali <[email protected]>
SigmaHQ · Dec 14, 2024 · a290d22 · a290d22
1 parent 9b67acf
commit a290d22
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/...in/security/win_security_susp_sdelete.yml → ...ity_sdelete_potential_secure_deletion.yml b/...in/security/win_security_susp_sdelete.yml → ...ity_sdelete_potential_secure_deletion.yml
@@ -1,14 +1,14 @@
-title: Secure Deletion with SDelete
+title: Potential Secure Deletion with SDelete
 id: 39a80702-d7ca-4a83-b776-525b1f86a36d
 status: test
-description: Detects renaming of file while deletion with SDelete tool.
+description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
 references:
     - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
     - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
 author: Thomas Patzke
 date: 2017-06-14
-modified: 2021-11-27
+modified: 2024-12-13
 tags:
     - attack.impact
     - attack.defense-evasion
@@ -32,4 +32,5 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate usage of SDelete
+    - Files that are interacted with that have these extensions legitimately
 level: medium