Adversaries may use re-named sdelete executables to securely delete multiple files, masking their malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or evidence tampering by advanced persistent threats.
KQL Query
imProcess
| where CommandLine has_all ("accepteula", "-s", "-r", "-q")
| where Process !endswith "sdelete.exe"
| where CommandLine !has "sdelete"
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
id: 5b6ae038-f66e-4f74-9315-df52fd492be4
name: Potential re-named sdelete usage (ASIM Version)
description: |
'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive.
A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.
This detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization'
severity: Low
requiredDataConnectors: []
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
- Impact
relevantTechniques:
- T1485
- T1036
query: |
imProcess
| where CommandLine has_all ("accepteula", "-s", "-r", "-q")
| where Process !endswith "sdelete.exe"
| where CommandLine !has "sdelete"
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountNTDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Dvc
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DvcIpAddr
version: 1.0.6
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, l
Scenario: Scheduled Job to Clean Temporary Files
Description: A scheduled task runs sdelete to securely delete temporary files in the C:\Temp directory.
Filter/Exclusion: Check for the presence of a scheduled task with a known name (e.g., CleanupTempFiles) and filter by the C:\Temp directory.
Scenario: Admin Task to Remove Old Logs
Description: An administrator uses sdelete to securely delete old log files from the C:\Logs directory as part of routine maintenance.
Filter/Exclusion: Filter by the C:\Logs directory and check for the presence of a known administrative task or script (e.g., LogCleanupScript.bat).
Scenario: Secure Deletion of Sensitive Data by Compliance Team
Description: A compliance team member uses sdelete to securely delete sensitive data from a specific folder (e.g., C:\Confidential) as part of a data sanitization process.
Filter/Exclusion: Filter by the C:\Confidential directory and check for user accounts associated with the compliance team (e.g., compliance_user).
Scenario: Use of sdelete in a Security Toolchain
Description: A security tool or SIEM system uses sdelete to securely delete temporary artifacts or evidence files during an investigation.
Filter/Exclusion: Filter by known security tool directories (e.g., C:\SecurityTools\Temp) and check for process parent processes associated with security software (e.g., Windows Defender or Splunk).
Scenario: Use of sdelete by a System Maintenance Tool
Description: A system maintenance tool (e.g., Sysinternals Suite) uses sdelete as part of its cleanup process to securely delete files from the system