Detection rules › Kusto Query Language
Sdelete deployed via GPO and run recursively (ASIM Version)
'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them. This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1485 Data Destruction |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Sysmon | 5 | Process terminated |
| Security-Auditing | 4688 | A new process has been created. |
| Security-Auditing | 4689 | A process has exited. |
Stages and Predicates
Stage 1: source
_Im_ProcessEvent
Stage 2: where
EventType eq "ProcessCreated"
Stage 3: where
Process ends_with "svchost.exe"
Stage 4: where
or
CommandLine match "-k GPSvcGroup"
CommandLine match "-s gpsvc"
Stage 5: extend
Stage 6: project
Stage 7: join
Stage 8: extend
Stage 9: extend
Stage 10: extend
Stage 11: project-away
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
EventType | eq |
|
Process | ends_with |
|