69 строки
2.4 KiB
YAML
69 строки
2.4 KiB
YAML
id: 30c8b802-ace1-4408-bc29-4c5c5afb49e1
|
|
name: Sdelete deployed via GPO and run recursively (ASIM Version)
|
|
description: |
|
|
'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.
|
|
This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization'
|
|
severity: Medium
|
|
requiredDataConnectors: []
|
|
queryFrequency: 1d
|
|
queryPeriod: 1d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- Impact
|
|
relevantTechniques:
|
|
- T1485
|
|
tags:
|
|
-
|
|
query: |
|
|
imProcess
|
|
| where EventType =~ "ProcessCreated"
|
|
| where Process endswith "svchost.exe"
|
|
| where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
|
|
| extend timekey = bin(TimeGenerated, 1m)
|
|
| project timekey, ActingProcessId, Dvc
|
|
| join kind=inner (
|
|
imProcess
|
|
| where EventType =~ "ProcessCreated"
|
|
| where Process =~ "sdelete.exe" or CommandLine has "sdelete"
|
|
| where ActingProcessName endswith "svchost.exe"
|
|
| where CommandLine has_all ("-s", "-r")
|
|
| extend timekey = bin(TimeGenerated, 1m)
|
|
)
|
|
on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
|
|
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
|
|
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
|
|
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
|
|
| project-away DomainIndex
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: ActorUsername
|
|
- identifier: Name
|
|
columnName: AccountName
|
|
- identifier: NTDomain
|
|
columnName: AccountNTDomain
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: Dvc
|
|
- identifier: HostName
|
|
columnName: HostName
|
|
- identifier: DnsDomain
|
|
columnName: HostNameDomain
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: DvcIpAddr
|
|
version: 1.0.5
|
|
kind: Scheduled
|
|
metadata:
|
|
source:
|
|
kind: Community
|
|
author:
|
|
name: Microsoft Security Research
|
|
support:
|
|
tier: Community
|
|
categories:
|
|
domains: [ "Security - Threat Protection" ] |