Sdelete deployed via GPO and run recursively ASIM Version
| Id | 30c8b802-ace1-4408-bc29-4c5c5afb49e1 |
| Rulename | Sdelete deployed via GPO and run recursively (ASIM Version) |
| Description | This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them. This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization |
| Severity | Medium |
| Tactics | Impact |
| Techniques | T1485 |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml |
| Version | 1.0.6 |
| Arm template | 30c8b802-ace1-4408-bc29-4c5c5afb49e1.json |
_Im_ProcessEvent
| where EventType =~ "ProcessCreated"
| where Process endswith "svchost.exe"
| where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
| extend timekey = bin(TimeGenerated, 1m)
| project timekey, ActingProcessId, Dvc
| join kind=inner (
_Im_ProcessEvent
| where EventType =~ "ProcessCreated"
| where Process =~ "sdelete.exe" or CommandLine has "sdelete"
| where ActingProcessName endswith "svchost.exe"
| where CommandLine has_all ("-s", "-r")
| extend timekey = bin(TimeGenerated, 1m)
)
on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml
metadata:
categories:
domains:
- Security - Threat Protection
author:
name: Microsoft Security Research
source:
kind: Community
support:
tier: Community
id: 30c8b802-ace1-4408-bc29-4c5c5afb49e1
query: |
_Im_ProcessEvent
| where EventType =~ "ProcessCreated"
| where Process endswith "svchost.exe"
| where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
| extend timekey = bin(TimeGenerated, 1m)
| project timekey, ActingProcessId, Dvc
| join kind=inner (
_Im_ProcessEvent
| where EventType =~ "ProcessCreated"
| where Process =~ "sdelete.exe" or CommandLine has "sdelete"
| where ActingProcessName endswith "svchost.exe"
| where CommandLine has_all ("-s", "-r")
| extend timekey = bin(TimeGenerated, 1m)
)
on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
tags:
-
description: |
'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.
This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization'
name: Sdelete deployed via GPO and run recursively (ASIM Version)
relevantTechniques:
- T1485
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountNTDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Dvc
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DvcIpAddr
triggerThreshold: 0
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
version: 1.0.6
kind: Scheduled
tactics:
- Impact
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/30c8b802-ace1-4408-bc29-4c5c5afb49e1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/30c8b802-ace1-4408-bc29-4c5c5afb49e1')]",
"properties": {
"alertRuleTemplateName": "30c8b802-ace1-4408-bc29-4c5c5afb49e1",
"customDetails": null,
"description": "'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization'\n",
"displayName": "Sdelete deployed via GPO and run recursively (ASIM Version)",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ActorUsername",
"identifier": "FullName"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountNTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Dvc",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "HostNameDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DvcIpAddr",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml",
"query": "_Im_ProcessEvent\n| where EventType =~ \"ProcessCreated\"\n| where Process endswith \"svchost.exe\"\n| where CommandLine has \"-k GPSvcGroup\" or CommandLine has \"-s gpsvc\"\n| extend timekey = bin(TimeGenerated, 1m)\n| project timekey, ActingProcessId, Dvc\n| join kind=inner (\n _Im_ProcessEvent\n | where EventType =~ \"ProcessCreated\"\n | where Process =~ \"sdelete.exe\" or CommandLine has \"sdelete\"\n | where ActingProcessName endswith \"svchost.exe\"\n | where CommandLine has_all (\"-s\", \"-r\")\n | extend timekey = bin(TimeGenerated, 1m)\n ) \n on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\n| extend AccountName = tostring(split(ActorUsername, @'\\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\\')[0])\n| extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n| project-away DomainIndex\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"tags": [
null
],
"techniques": [
"T1485"
],
"templateVersion": "1.0.6",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}