Sdelete deployed via GPO and run recursively ASIM Version

_Im_ProcessEvent
| where EventType =~ "ProcessCreated"
| where Process endswith "svchost.exe"
| where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
| extend timekey = bin(TimeGenerated, 1m)
| project timekey, ActingProcessId, Dvc
| join kind=inner (
  _Im_ProcessEvent
  | where EventType =~ "ProcessCreated"
  | where Process =~ "sdelete.exe" or CommandLine has "sdelete"
  | where ActingProcessName endswith "svchost.exe"
  | where CommandLine has_all ("-s", "-r")
  | extend timekey = bin(TimeGenerated, 1m)
  ) 
  on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex

severity: Medium
queryFrequency: 1d
kind: Scheduled
description: |
  'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.
    This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization'  
id: 30c8b802-ace1-4408-bc29-4c5c5afb49e1
version: 1.0.6
requiredDataConnectors: []
tags:
- 
queryPeriod: 1d
triggerOperator: gt
metadata:
  author:
    name: Microsoft Security Research
  support:
    tier: Community
  categories:
    domains:
    - Security - Threat Protection
  source:
    kind: Community
name: Sdelete deployed via GPO and run recursively (ASIM Version)
query: |
  _Im_ProcessEvent
  | where EventType =~ "ProcessCreated"
  | where Process endswith "svchost.exe"
  | where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
  | extend timekey = bin(TimeGenerated, 1m)
  | project timekey, ActingProcessId, Dvc
  | join kind=inner (
    _Im_ProcessEvent
    | where EventType =~ "ProcessCreated"
    | where Process =~ "sdelete.exe" or CommandLine has "sdelete"
    | where ActingProcessName endswith "svchost.exe"
    | where CommandLine has_all ("-s", "-r")
    | extend timekey = bin(TimeGenerated, 1m)
    ) 
    on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
  | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
  | project-away DomainIndex  
relevantTechniques:
- T1485
triggerThreshold: 0
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: ActorUsername
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountNTDomain
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Dvc
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: DvcIpAddr
  entityType: IP