SDelete
SDelete is Microsoft Sysinternals’ legitimate command-line utility for secure file deletion. It overwrites files before deleting them so data is intended to be unrecoverable, and is associated in the provided content with MITRE ATT&CK T1485 and file deletion/anti-forensics behavior. The content describes it being used to delete evidence, securely wipe files, and remove forensic artifacts or activity logs.
The utility has been used by multiple threat actors for cleanup and defense evasion. The content specifically states that APT29 used SDelete to remove artifacts from victims, FIN5 used it to clean up the environment and attempt to prevent detection, and Sandworm used SDelete in destructive operations. CERT-UA reporting in the provided content states that during the January 2023 attack on Ukraine’s national news agency Ukrinform, attackers intended to execute sdelete.exe via a batch file named news.bat as part of a broader destructive operation that also involved CaddyWiper, ZeroWipe, AwfulShred, and BidSwipe; the attack was attributed to UAC-0082 (Sandworm), associated with Russia’s GRU. The content also notes ESET detected execution of the SDelete utility at a Ukrainian software reseller on 2023-01-01, and that NikoWiper is based on the SDelete Microsoft command-line utility.
Observed indicators directly mentioned in the content include the filename sdelete.exe and, in the Ukrinform incident, MD5 803df907d936e08fbbd06020c411be93 and SHA-256 e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c for an SDelete binary, as well as the associated launcher news.bat with MD5 6aa899b47596323da573fb218f3a8266 and SHA-256 301b248a8291df6c7f3565a3dac17ee69609f36ef474b4f20eebe134746a9cac. The content also references a Splunk attack simulation dataset for SDelete execution dated 2021-10-06, with Sysmon telemetry collected in an attack_range environment for detection testing.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"They commonly use tools like Microsoft's SDelete utility to securely delete files and wipe activity logs..."
"...а також легітимної утиліти SDelete (запуск якої передбачалося здійснити за допомогою "news.bat")"
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Execution
2 techniques"...створено об'єкт групової політики (GPO), що, у свою чергу, забезпечував створення відповідних запланованих завдань." and "Windows_Security_Update_HxW (Scheduled Task)"
"...легітимної утиліти SDelete (запуск якої передбачалося здійснити за допомогою 'news.bat')."
Persistence
1 techniquePrivilege Escalation
2 techniques"...створено об'єкт групової політики (GPO), що, у свою чергу, забезпечував створення відповідних запланованих завдань." and "Windows_Security_Update_HxW (Scheduled Task)"
Stealth
2 techniquesMany examples describe post-intrusion cleanup, anti-forensics, and removal of artifacts such as logs, scripts, malware components, scheduled tasks, registry keys, and temporary files.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete. | APT29 has used SDelete to remove artifacts from victim networks. FIN5 uses SDelete to clean up the environment and attempt to prevent detection. SDelete deletes data in a way that makes it unrecoverable.
Defense Impairment
1 techniqueCommand and Control
1 techniqueIt created two files: rar.exe and sdelete.exe.
Impact
1 techniqueData Destruction [T1485] Most of the time, data destruction is aimed at the destruction of forensic artifacts via the use of SDelete or CCleaner. Unfortunately, sometimes ransomware actors destroy production data stores (sometimes malicious, sometimes by accident).
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Legitimate Sysinternals secure-deletion utility referenced as being abused by ransomware actors to destroy forensic artifacts (data destruction/anti-forensics).
Sdelete is a secure deletion utility that can be used to irreversibly delete files and data. In this context it is associated with ATT&CK technique T1485, indicating destructive or data-wiping behavior.
Legitimate Microsoft secure-deletion utility abused/used in destructive activity (basis for NikoWiper; also observed executed directly in Jan 2023).
Sysinternals secure deletion utility used for anti-forensics by securely deleting files to hinder recovery.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.