Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Sdelete deployed via GPO and run recursively

Sdelete deployed via GPO and run recursively

Back
Idd9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5
RulenameSdelete deployed via GPO and run recursively
DescriptionThis query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.
SeverityMedium
TacticsImpact
TechniquesT1485
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/SdeletedeployedviaGPOandrunrecursively.yaml
Version1.0.2
Arm templated9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5.json
Deploy To Azure
SecurityEvent
  | where EventID == 4688
  | where Process =~ "svchost.exe"
  | where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
  | extend timekey = bin(TimeGenerated, 1m)
  | project timekey, NewProcessId, Computer
  | join kind=inner (SecurityEvent
  | where EventID == 4688
  | where Process =~ "sdelete.exe" or CommandLine has "sdelete"
  | where ParentProcessName endswith "svchost.exe"
  | where CommandLine has_all ("-s", "-r")
  | extend newProcess = Process
  | extend timekey = bin(TimeGenerated, 1m)
  ) on $left.NewProcessId == $right.ProcessId, timekey, Computer
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(TargetAccount, @'\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\')[0])

id: d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5
name: Sdelete deployed via GPO and run recursively
tags:
- 
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: TargetAccount
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountNTDomain
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
description: |
    'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.'
status: Available
query: |
  SecurityEvent
    | where EventID == 4688
    | where Process =~ "svchost.exe"
    | where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
    | extend timekey = bin(TimeGenerated, 1m)
    | project timekey, NewProcessId, Computer
    | join kind=inner (SecurityEvent
    | where EventID == 4688
    | where Process =~ "sdelete.exe" or CommandLine has "sdelete"
    | where ParentProcessName endswith "svchost.exe"
    | where CommandLine has_all ("-s", "-r")
    | extend newProcess = Process
    | extend timekey = bin(TimeGenerated, 1m)
    ) on $left.NewProcessId == $right.ProcessId, timekey, Computer
    | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
    | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
    | extend AccountName = tostring(split(TargetAccount, @'\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\')[0])  
severity: Medium
triggerThreshold: 0
queryPeriod: 1d
queryFrequency: 1d
triggerOperator: gt
kind: Scheduled
tactics:
- Impact
relevantTechniques:
- T1485
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/SdeletedeployedviaGPOandrunrecursively.yaml
version: 1.0.2

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5')]",
      "properties": {
        "alertRuleTemplateName": "d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5",
        "customDetails": null,
        "description": "'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.'\n",
        "displayName": "Sdelete deployed via GPO and run recursively",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetAccount",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountNTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/SdeletedeployedviaGPOandrunrecursively.yaml",
        "query": "SecurityEvent\n  | where EventID == 4688\n  | where Process =~ \"svchost.exe\"\n  | where CommandLine has \"-k GPSvcGroup\" or CommandLine has \"-s gpsvc\"\n  | extend timekey = bin(TimeGenerated, 1m)\n  | project timekey, NewProcessId, Computer\n  | join kind=inner (SecurityEvent\n  | where EventID == 4688\n  | where Process =~ \"sdelete.exe\" or CommandLine has \"sdelete\"\n  | where ParentProcessName endswith \"svchost.exe\"\n  | where CommandLine has_all (\"-s\", \"-r\")\n  | extend newProcess = Process\n  | extend timekey = bin(TimeGenerated, 1m)\n  ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\n  | extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n  | extend AccountName = tostring(split(TargetAccount, @'\\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\\')[0])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "tags": [
          null
        ],
        "techniques": [
          "T1485"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}