Sdelete deployed via GPO and run recursively (ASIM Version)
| Id | 30c8b802-ace1-4408-bc29-4c5c5afb49e1 |
| Rulename | Sdelete deployed via GPO and run recursively (ASIM Version) |
| Description | This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them. This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization |
| Severity | Medium |
| Tactics | Impact |
| Techniques | T1485 |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml |
| Version | 1.0.3 |
| Arm template | 30c8b802-ace1-4408-bc29-4c5c5afb49e1.json |
imProcess
| where EventType =~ "ProcessCreated"
| where Process endswith "svchost.exe"
| where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
| extend timekey = bin(TimeGenerated, 1m)
| project timekey, ActingProcessId, Dvc
| join kind=inner (imProcess
| where EventType =~ "ProcessCreated"
| where Process =~ "sdelete.exe" or CommandLine has "sdelete"
| where ActingProcessName endswith "svchost.exe"
| where CommandLine has_all ("-s", "-r")
| extend timekey = bin(TimeGenerated, 1m)
) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
tags:
-
metadata:
categories:
domains:
- Security - Threat Protection
source:
kind: Community
support:
tier: Community
author:
name: Pete Bryan
version: 1.0.3
name: Sdelete deployed via GPO and run recursively (ASIM Version)
severity: Medium
queryFrequency: 1d
kind: Scheduled
queryPeriod: 1d
description: |
'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.
This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization'
query: |
imProcess
| where EventType =~ "ProcessCreated"
| where Process endswith "svchost.exe"
| where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
| extend timekey = bin(TimeGenerated, 1m)
| project timekey, ActingProcessId, Dvc
| join kind=inner (imProcess
| where EventType =~ "ProcessCreated"
| where Process =~ "sdelete.exe" or CommandLine has "sdelete"
| where ActingProcessName endswith "svchost.exe"
| where CommandLine has_all ("-s", "-r")
| extend timekey = bin(TimeGenerated, 1m)
) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
tactics:
- Impact
triggerOperator: gt
entityMappings:
- entityType: Account
fieldMappings:
- columnName: ActorUsername
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: DvcIpAddr
identifier: Address
- entityType: Host
fieldMappings:
- columnName: Dvc
identifier: FullName
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml
requiredDataConnectors: []
relevantTechniques:
- T1485
id: 30c8b802-ace1-4408-bc29-4c5c5afb49e1
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/30c8b802-ace1-4408-bc29-4c5c5afb49e1')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/30c8b802-ace1-4408-bc29-4c5c5afb49e1')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Sdelete deployed via GPO and run recursively (ASIM Version)",
"description": "'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization'\n",
"severity": "Medium",
"enabled": true,
"query": "imProcess\n | where EventType =~ \"ProcessCreated\"\n | where Process endswith \"svchost.exe\"\n | where CommandLine has \"-k GPSvcGroup\" or CommandLine has \"-s gpsvc\"\n | extend timekey = bin(TimeGenerated, 1m)\n | project timekey, ActingProcessId, Dvc\n | join kind=inner (imProcess\n | where EventType =~ \"ProcessCreated\"\n | where Process =~ \"sdelete.exe\" or CommandLine has \"sdelete\"\n | where ActingProcessName endswith \"svchost.exe\"\n | where CommandLine has_all (\"-s\", \"-r\")\n | extend timekey = bin(TimeGenerated, 1m)\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1485"
],
"alertRuleTemplateName": "30c8b802-ace1-4408-bc29-4c5c5afb49e1",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "ActorUsername",
"identifier": "FullName"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "DvcIpAddr",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"columnName": "Dvc",
"identifier": "FullName"
}
],
"entityType": "Host"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml",
"templateVersion": "1.0.3",
"tags": [
null
]
}
}
]
}