Potential re-named sdelete usage (ASIM Version)
Id | 5b6ae038-f66e-4f74-9315-df52fd492be4 |
Rulename | Potential re-named sdelete usage (ASIM Version) |
Description | This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host’s C drive. A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host. This detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization |
Severity | Low |
Tactics | DefenseEvasion Impact |
Techniques | T1485 T1036 |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml |
Version | 1.0.4 |
Arm template | 5b6ae038-f66e-4f74-9315-df52fd492be4.json |
imProcess
| where CommandLine has_all ("accepteula", "-s", "-r", "-q")
| where Process !endswith "sdelete.exe"
| where CommandLine !has "sdelete"
metadata:
categories:
domains:
- Security - Threat Protection
source:
kind: Community
support:
tier: Community
author:
name: Pete Bryan
version: 1.0.4
name: Potential re-named sdelete usage (ASIM Version)
severity: Low
queryFrequency: 1h
kind: Scheduled
queryPeriod: 1h
description: |
'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive.
A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.
This detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization'
query: |
imProcess
| where CommandLine has_all ("accepteula", "-s", "-r", "-q")
| where Process !endswith "sdelete.exe"
| where CommandLine !has "sdelete"
tactics:
- DefenseEvasion
- Impact
triggerOperator: gt
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DvcHostname
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: DvcIpAddr
identifier: Address
- entityType: Account
fieldMappings:
- columnName: ActorUsername
identifier: FullName
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml
requiredDataConnectors: []
relevantTechniques:
- T1485
- T1036
id: 5b6ae038-f66e-4f74-9315-df52fd492be4
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5b6ae038-f66e-4f74-9315-df52fd492be4')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5b6ae038-f66e-4f74-9315-df52fd492be4')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Potential re-named sdelete usage (ASIM Version)",
"description": "'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive.\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization'\n",
"severity": "Low",
"enabled": true,
"query": "imProcess\n | where CommandLine has_all (\"accepteula\", \"-s\", \"-r\", \"-q\")\n | where Process !endswith \"sdelete.exe\"\n | where CommandLine !has \"sdelete\"\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Impact"
],
"techniques": [
"T1485",
"T1036"
],
"alertRuleTemplateName": "5b6ae038-f66e-4f74-9315-df52fd492be4",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "DvcHostname",
"identifier": "FullName"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"columnName": "DvcIpAddr",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"columnName": "ActorUsername",
"identifier": "FullName"
}
],
"entityType": "Account"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml",
"templateVersion": "1.0.4"
}
}
]
}