Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Potential re-named sdelete usage

Potential re-named sdelete usage

Back
Id720d12c6-a08c-44c4-b18f-2236412d59b0
RulenamePotential re-named sdelete usage
DescriptionThis detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host’s C drive.

A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.
SeverityLow
TacticsDefenseEvasion
Impact
TechniquesT1485
T1036
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/Potentialre-namedsdeleteusage.yaml
Version1.0.3
Arm template720d12c6-a08c-44c4-b18f-2236412d59b0.json
Deploy To Azure
SecurityEvent
  | where EventID == 4688
  | where Process !~ "sdelete.exe"
  | where CommandLine has_all ("accepteula", "-r", "-s", "-q", "c:/")
  | where CommandLine !has ("sdelete")
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(TargetAccount, @'\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\')[0])

status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/Potentialre-namedsdeleteusage.yaml
query: |
  SecurityEvent
    | where EventID == 4688
    | where Process !~ "sdelete.exe"
    | where CommandLine has_all ("accepteula", "-r", "-s", "-q", "c:/")
    | where CommandLine !has ("sdelete")
    | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
    | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
    | extend AccountName = tostring(split(TargetAccount, @'\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\')[0])  
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvent
  connectorId: WindowsSecurityEvents
tactics:
- DefenseEvasion
- Impact
name: Potential re-named sdelete usage
relevantTechniques:
- T1485
- T1036
severity: Low
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: TargetAccount
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountNTDomain
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
  entityType: Host
kind: Scheduled
queryFrequency: 1h
description: |
  'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive.
  A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.'  
triggerThreshold: 0
triggerOperator: gt
version: 1.0.3
queryPeriod: 1h
id: 720d12c6-a08c-44c4-b18f-2236412d59b0