Potential re-named sdelete usage ASIM Version
| Id | 5b6ae038-f66e-4f74-9315-df52fd492be4 |
| Rulename | Potential re-named sdelete usage (ASIM Version) |
| Description | This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host’s C drive. A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host. This detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization |
| Severity | Low |
| Tactics | DefenseEvasion Impact |
| Techniques | T1485 T1036 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml |
| Version | 1.0.6 |
| Arm template | 5b6ae038-f66e-4f74-9315-df52fd492be4.json |
imProcess
| where CommandLine has_all ("accepteula", "-s", "-r", "-q")
| where Process !endswith "sdelete.exe"
| where CommandLine !has "sdelete"
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
relevantTechniques:
- T1485
- T1036
name: Potential re-named sdelete usage (ASIM Version)
requiredDataConnectors: []
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: ActorUsername
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountNTDomain
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: Dvc
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
entityType: Host
- fieldMappings:
- identifier: Address
columnName: DvcIpAddr
entityType: IP
triggerThreshold: 0
id: 5b6ae038-f66e-4f74-9315-df52fd492be4
tactics:
- DefenseEvasion
- Impact
version: 1.0.6
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml
queryPeriod: 1h
kind: Scheduled
metadata:
categories:
domains:
- Security - Threat Protection
author:
name: Microsoft Security Research
support:
tier: Community
source:
kind: Community
queryFrequency: 1h
severity: Low
description: |
'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive.
A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.
This detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization'
query: |
imProcess
| where CommandLine has_all ("accepteula", "-s", "-r", "-q")
| where Process !endswith "sdelete.exe"
| where CommandLine !has "sdelete"
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5b6ae038-f66e-4f74-9315-df52fd492be4')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5b6ae038-f66e-4f74-9315-df52fd492be4')]",
"properties": {
"alertRuleTemplateName": "5b6ae038-f66e-4f74-9315-df52fd492be4",
"customDetails": null,
"description": "'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive.\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization'\n",
"displayName": "Potential re-named sdelete usage (ASIM Version)",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ActorUsername",
"identifier": "FullName"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountNTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Dvc",
"identifier": "FullName"
},
{
"columnName": "DvcHostname",
"identifier": "HostName"
},
{
"columnName": "DvcDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DvcIpAddr",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml",
"query": "imProcess\n| where CommandLine has_all (\"accepteula\", \"-s\", \"-r\", \"-q\")\n| where Process !endswith \"sdelete.exe\"\n| where CommandLine !has \"sdelete\"\n| extend AccountName = tostring(split(ActorUsername, @'\\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\\')[0])\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Low",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Impact"
],
"techniques": [
"T1036",
"T1485"
],
"templateVersion": "1.0.6",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}