Attackers may deploy Sdelete through Group Policy to multiple hosts and use recursive execution to delete data across the network. SOC teams should proactively hunt for this behavior to detect and mitigate potential data exfiltration or destruction campaigns in their Azure Sentinel environment.
KQL Query
_Im_ProcessEvent
| where EventType =~ "ProcessCreated"
| where Process endswith "svchost.exe"
| where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
| extend timekey = bin(TimeGenerated, 1m)
| project timekey, ActingProcessId, Dvc
| join kind=inner (
_Im_ProcessEvent
| where EventType =~ "ProcessCreated"
| where Process =~ "sdelete.exe" or CommandLine has "sdelete"
| where ActingProcessName endswith "svchost.exe"
| where CommandLine has_all ("-s", "-r")
| extend timekey = bin(TimeGenerated, 1m)
)
on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
id: 30c8b802-ace1-4408-bc29-4c5c5afb49e1
name: Sdelete deployed via GPO and run recursively (ASIM Version)
description: |
'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.
This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization'
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T1485
tags:
-
query: |
_Im_ProcessEvent
| where EventType =~ "ProcessCreated"
| where Process endswith "svchost.exe"
| where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
| extend timekey = bin(TimeGenerated, 1m)
| project timekey, ActingProcessId, Dvc
| join kind=inner (
_Im_ProcessEvent
| where EventType =~ "ProcessCreated"
| where Process =~ "sdelete.exe" or CommandLine has "sdelete"
| where ActingProcessName endswith "svchost.exe"
| where CommandLine has_all ("-s", "-r")
| extend timekey = bin(TimeGenerated, 1m)
)
on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountNTDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Dvc
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DvcIpAddr
version: 1.0.6
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render
Scenario: System Update via Group Policy
Description: A system administrator deploys a group policy update that includes a script or tool that inadvertently triggers the sdelete command as part of a cleanup process.
Filter/Exclusion: process.parent_process_name:"gpupdate.exe" or process.parent_process_path:"C:\\Windows\\System32\\gpupdate.exe"
Scenario: Scheduled Job for Disk Cleanup
Description: A legitimate scheduled task runs sdelete to securely delete temporary files or logs from a system, which may be flagged as recursive.
Filter/Exclusion: process.command_line:"sdelete -p 100 -z C:\\Temp\\*" or process.parent_process_name:"schtasks.exe"
Scenario: Admin Task for Secure Data Erasure
Description: An admin uses sdelete as part of a secure data erasure process, such as before decommissioning a server, which may involve recursive deletion.
Filter/Exclusion: process.command_line:"sdelete -p 100 -z C:\\Data\\*" or process.user:"Administrator"
Scenario: Deployment of a Legitimate Application with Clean-up Script
Description: A software deployment package includes a clean-up script that uses sdelete to remove old files, which could be flagged as recursive.
Filter/Exclusion: process.command_line:"sdelete -p 100 -z C:\\Program Files\\OldApp\\*" or process.parent_process_name:"msiexec.exe"
Scenario: Log Rotation or Archive Purge via Script
Description: A script used for log rotation or archive purging runs sdelete recursively on log directories, which may trigger the detection rule.
Filter/Exclusion: `process.command_line