id: 5b6ae038-f66e-4f74-9315-df52fd492be4
name: Potential re-named sdelete usage (ASIM Version)
description: |
'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive.
A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.
This detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization'
severity: Low
requiredDataConnectors: []
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
- Impact
relevantTechniques:
- T1485
- T1036
query: |
imProcess
| where CommandLine has_all ("accepteula", "-s", "-r", "-q")
| where Process !endswith "sdelete.exe"
| where CommandLine !has "sdelete"
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DvcHostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DvcIpAddr
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
version: 1.0.3
kind: Scheduledcloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml
38lines · modepreview
3 years ago