sigmahighHunting

Sysmon Blocked File Shredding

Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.

Detection Query

selection:
  EventID: 28
condition: selection

Author

frack113

Created

2023-07-20

Data Sources

windowssysmon

Platforms

windows

References

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Tags

attack.defense-impairment

Raw Content

title: Sysmon Blocked File Shredding
id: c3e5c1b1-45e9-4632-b242-27939c170239
status: test
description: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
author: frack113
date: 2023-07-20
tags:
    - attack.defense-impairment
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 28  # this is fine, we want to match any FileBlockShredding event
    condition: selection
falsepositives:
    - Unlikely
level: high