Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Potential re-named sdelete usage

Potential re-named sdelete usage

Back
Id720d12c6-a08c-44c4-b18f-2236412d59b0
RulenamePotential re-named sdelete usage
DescriptionThis detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host’s C drive.

A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.
SeverityLow
TacticsDefenseEvasion
Impact
TechniquesT1485
T1036
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/Potentialre-namedsdeleteusage.yaml
Version1.0.3
Arm template720d12c6-a08c-44c4-b18f-2236412d59b0.json
Deploy To Azure
SecurityEvent
  | where EventID == 4688
  | where Process !~ "sdelete.exe"
  | where CommandLine has_all ("accepteula", "-r", "-s", "-q", "c:/")
  | where CommandLine !has ("sdelete")
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(TargetAccount, @'\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\')[0])

queryPeriod: 1h
query: |
  SecurityEvent
    | where EventID == 4688
    | where Process !~ "sdelete.exe"
    | where CommandLine has_all ("accepteula", "-r", "-s", "-q", "c:/")
    | where CommandLine !has ("sdelete")
    | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
    | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
    | extend AccountName = tostring(split(TargetAccount, @'\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\')[0])  
name: Potential re-named sdelete usage
entityMappings:
- fieldMappings:
  - columnName: TargetAccount
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountNTDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain
  entityType: Host
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/Potentialre-namedsdeleteusage.yaml
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
description: |
  'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive.
  A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.'  
kind: Scheduled
version: 1.0.3
status: Available
severity: Low
relevantTechniques:
- T1485
- T1036
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
- Impact
id: 720d12c6-a08c-44c4-b18f-2236412d59b0