Sdelete deployed via GPO and run recursively
| Id | d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5 |
| Rulename | Sdelete deployed via GPO and run recursively |
| Description | This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them. |
| Severity | Medium |
| Tactics | Impact |
| Techniques | T1485 |
| Required data connectors | SecurityEvents WindowsSecurityEvents |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/SdeletedeployedviaGPOandrunrecursively.yaml |
| Version | 1.0.2 |
| Arm template | d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5.json |
SecurityEvent
| where EventID == 4688
| where Process =~ "svchost.exe"
| where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
| extend timekey = bin(TimeGenerated, 1m)
| project timekey, NewProcessId, Computer
| join kind=inner (SecurityEvent
| where EventID == 4688
| where Process =~ "sdelete.exe" or CommandLine has "sdelete"
| where ParentProcessName endswith "svchost.exe"
| where CommandLine has_all ("-s", "-r")
| extend newProcess = Process
| extend timekey = bin(TimeGenerated, 1m)
) on $left.NewProcessId == $right.ProcessId, timekey, Computer
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(TargetAccount, @'\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\')[0])
queryPeriod: 1d
query: |
SecurityEvent
| where EventID == 4688
| where Process =~ "svchost.exe"
| where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
| extend timekey = bin(TimeGenerated, 1m)
| project timekey, NewProcessId, Computer
| join kind=inner (SecurityEvent
| where EventID == 4688
| where Process =~ "sdelete.exe" or CommandLine has "sdelete"
| where ParentProcessName endswith "svchost.exe"
| where CommandLine has_all ("-s", "-r")
| extend newProcess = Process
| extend timekey = bin(TimeGenerated, 1m)
) on $left.NewProcessId == $right.ProcessId, timekey, Computer
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(TargetAccount, @'\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\')[0])
name: Sdelete deployed via GPO and run recursively
entityMappings:
- fieldMappings:
- columnName: TargetAccount
identifier: FullName
- columnName: AccountName
identifier: Name
- columnName: AccountNTDomain
identifier: NTDomain
entityType: Account
- fieldMappings:
- columnName: Computer
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: HostNameDomain
identifier: DnsDomain
entityType: Host
queryFrequency: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/SdeletedeployedviaGPOandrunrecursively.yaml
tags:
-
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
description: |
'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.'
kind: Scheduled
version: 1.0.2
status: Available
severity: Medium
relevantTechniques:
- T1485
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
id: d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5