Sdelete deployed via GPO and run recursively

Back


Id	d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5
Rulename	Sdelete deployed via GPO and run recursively
Description	This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.
Severity	Medium
Tactics	Impact
Techniques	T1485
Required data connectors	SecurityEvents WindowsSecurityEvents
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/SdeletedeployedviaGPOandrunrecursively.yaml
Version	1.0.1
Arm template	d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5.json

KQL

SecurityEvent
  | where EventID == 4688
  | where Process =~ "svchost.exe"
  | where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
  | extend timekey = bin(TimeGenerated, 1m)
  | project timekey, NewProcessId, Computer
  | join kind=inner (SecurityEvent
  | where EventID == 4688
  | where Process =~ "sdelete.exe" or CommandLine has "sdelete"
  | where ParentProcessName endswith "svchost.exe"
  | where CommandLine has_all ("-s", "-r")
  | extend newProcess = Process
  | extend timekey = bin(TimeGenerated, 1m)
  ) on $left.NewProcessId == $right.ProcessId, timekey, Computer

YAML

severity: Medium
queryFrequency: 1d
relevantTechniques:
- T1485
tactics:
- Impact
kind: Scheduled
query: |
  SecurityEvent
    | where EventID == 4688
    | where Process =~ "svchost.exe"
    | where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
    | extend timekey = bin(TimeGenerated, 1m)
    | project timekey, NewProcessId, Computer
    | join kind=inner (SecurityEvent
    | where EventID == 4688
    | where Process =~ "sdelete.exe" or CommandLine has "sdelete"
    | where ParentProcessName endswith "svchost.exe"
    | where CommandLine has_all ("-s", "-r")
    | extend newProcess = Process
    | extend timekey = bin(TimeGenerated, 1m)
    ) on $left.NewProcessId == $right.ProcessId, timekey, Computer  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/SdeletedeployedviaGPOandrunrecursively.yaml
queryPeriod: 1d
status: Available
version: 1.0.1
tags:
- 
name: Sdelete deployed via GPO and run recursively
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvent
  connectorId: WindowsSecurityEvents
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Account
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
id: d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5
description: |
    'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.'
triggerThreshold: 0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Sdelete deployed via GPO and run recursively",
        "description": "'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "SecurityEvent\n  | where EventID == 4688\n  | where Process =~ \"svchost.exe\"\n  | where CommandLine has \"-k GPSvcGroup\" or CommandLine has \"-s gpsvc\"\n  | extend timekey = bin(TimeGenerated, 1m)\n  | project timekey, NewProcessId, Computer\n  | join kind=inner (SecurityEvent\n  | where EventID == 4688\n  | where Process =~ \"sdelete.exe\" or CommandLine has \"sdelete\"\n  | where ParentProcessName endswith \"svchost.exe\"\n  | where CommandLine has_all (\"-s\", \"-r\")\n  | extend newProcess = Process\n  | extend timekey = bin(TimeGenerated, 1m)\n  ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1485"
        ],
        "alertRuleTemplateName": "d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "Account",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              }
            ],
            "entityType": "Host"
          }
        ],
        "tags": [
          null
        ],
        "status": "Available",
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/SdeletedeployedviaGPOandrunrecursively.yaml"
      }
    }
  ]
}