S0195: SDelete
Analyst context for executives and security teams
SDelete is a legitimate Microsoft Sysinternals Windows utility for securely deleting data so it is difficult or impossible to recover. Its security relevance is that the same trusted administration tool can support both normal data-handling needs and adversary objectives: removing intrusion traces or destroying data. For leaders, the key issue is not that SDelete exists, but whether the organization can distinguish approved administrative use from suspicious secure deletion during an incident.
Executive priority
Prioritize this as a dual-use tool governance and resilience question. Because ATT&CK links SDelete to File Deletion for stealth and Data Destruction for impact, executives should ask whether Windows endpoint logging, administrative tool controls, backup/recovery readiness, and incident response evidence preservation are mature enough to handle secure deletion activity. It is especially material where audit evidence, payment or personal data handling, regulated retention, or operational continuity depend on recoverable records.
Technical view
Validate visibility for SDelete execution on Windows systems and correlate it with user context, host role, file paths, timing, and change activity. ATT&CK provides no official detection text for this tool, so detection engineering should be based on local baselines: known administrator workflows, approved Sysinternals usage, and exceptions for legitimate secure disposal. Relationship context shows use by multiple ATT&CK groups and links the tool to T1070.004 File Deletion and T1485 Data Destruction, so SOC and IR teams should treat unexpected secure deletion as both a potential anti-forensics signal and a possible precursor or component of availability-impacting activity.
Likely telemetry
- Windows process creation events showing SDelete execution and command-line context where collected
- Endpoint detection and response telemetry for Sysinternals tool execution
- File deletion or file system activity telemetry, especially secure deletion of unusual paths or high-volume deletion patterns
- User, administrator, and service account activity around the same host and timeframe
- Software inventory or application control records showing whether SDelete is present, approved, or newly introduced
Detection direction
- Baseline legitimate SDelete use by administrators and approved maintenance processes before treating all execution as malicious.
- Alert on SDelete execution from unusual directories, by unusual users, on sensitive servers, or near other suspicious intrusion activity.
- Correlate secure deletion with evidence of staging, tool transfer, privilege use, or incident cleanup rather than relying on the tool name alone.
- Tune for false positives from legitimate data disposal, privacy workflows, or system administration tasks.
- Account for blind spots where command-line logging, endpoint telemetry, or file activity auditing is not enabled on Windows systems.
Mitigation priorities
- Define and document approved use cases for secure deletion tools, including who may run them and on which systems.
- Use application control or administrative allow-listing where appropriate to limit unauthorized execution of Sysinternals utilities without blocking legitimate operations blindly.
- Ensure Windows endpoint logging and EDR coverage capture process execution and command-line context for administrative tools.
- Protect business-critical data with tested backup and recovery processes, since secure deletion may reduce forensic recoverability on the endpoint itself.
- Include secure deletion activity in incident response playbooks so responders preserve remaining evidence quickly and assess whether deletion was stealth-oriented or impact-oriented.
Analyst notes and limits
The object is a tool entry, not a technique, and ATT&CK does not provide official detection guidance. The strongest decision value comes from its relationships: SDelete is associated with File Deletion and Data Destruction, and ATT&CK lists several groups as using it. Those relationships justify monitoring and governance, but local baselines are required to separate normal administration from suspicious use.
The supplied ATT&CK fields only support Windows as the platform for SDelete and do not provide command examples, procedures, or detection analytics. Group relationships do not prove current activity, targeting, or exposure in any specific environment. Detection and mitigation recommendations must be validated against local logging, approved administration practices, and recovery requirements.
SDelete
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | SDelete deletes data in a way that makes it unrecoverable.CitationMicrosoft SDelete July 2016 |
| Enterprise | T1485 | Data Destruction | SDelete deletes data in a way that makes it unrecoverable.CitationMicrosoft SDelete July 2016 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
G0080: Cobalt Group
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.[1][2][3][4][5][6][7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.[8]
G0053: FIN5
FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. [1] [2] [3]
G0091: Silence
Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | b9cdc845d89c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft SDelete July 2016
Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.
Open source URL -
[2]
SDelete
(Citation: Microsoft SDelete July 2016)
-
[3]
mitre-attack S0195Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.