Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has_any ("del", "rmdir", "rm ", "Remove-Item", "cmd.exe", "powershell") | where ( (ProcessCommandLine has_any ("temp", "tmp", @'AppData\Local\Temp', @'C:\temp', @'C:\tmp', "%TEMP%")) and (ProcessCommandLine has_any ("/s", "/q", "-r", "-force", "-Recurse")) ) | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine has_any ("rmdir /s", "rd /s", "Remove-Item -Recurse", "/s /q", "-Recurse") | where ProcessCommandLine has_any("temp", "%TEMP%") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

let temp_path_re = @"(\\windows\\temp|\\appdata\\local\\temp|%temp%|%tmp%|\$env:temp|\$env:tmp)"; // temp indicators (lower-cased) DeviceProcessEvents | where ActionType == "ProcessCreated" | extend pcl = tolower(ProcessCommandLine), fname = tolower(FileName) // Must reference a temp path or TEMP/TMP variables | where pcl matches regex temp_path_re // Look for recursive delete patterns | where // cmd rmdir/rd with /s (optionally with /q) pcl matches regex @"\b(rmdir|rd)\b.*?\/(s)" or // cmd del with /s (optionally with /q) pcl matches regex @"\bdel(ete)?\b.*?\/(s)" or // PowerShell Remove-Item (or aliases) with -Recurse/-r (fname in ("powershell.exe","pwsh.exe","powershell_ise.exe") and pcl matches regex @"\b(remove-item|rm|ri|del)\b.*?\-(recurse|r\b)") or // Sysinternals sdelete with -s or /s pcl matches regex @"\bsdelete(\.exe)?\b.*?(\s\-s|\s\/s)" | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ProcessTokenElevation, InitiatingProcessTokenElevation, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessCreationTime | order by TimeGenerated desc

DeviceProcessEvents | where isnotempty(ProcessCommandLine) // match references to temp directories (case-insensitive) | where ProcessCommandLine matches regex @"(?i)(%temp%|\\temp\\|\\windows\\temp|\btemp\b)" // match common recursive/remove/delete patterns (case-insensitive) | where ProcessCommandLine matches regex @"(?i)(\bdel\b|\brmdir\b|\brd\b|\bremove-item\b|-recurse\b|-force\b|/s\b|/q\b|rm\s*-rf\b)" | extend Initiator = strcat(tostring(InitiatingProcessFileName), " (PID:", tostring(InitiatingProcessId), ")") | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), AnyCmd = any(ProcessCommandLine), AnyInitiatorCmd = any(InitiatingProcessCommandLine), InitiatorFile = any(InitiatingProcessFileName), InitiatorId = any(InitiatingProcessId), InitiatorAccount = any(InitiatingProcessAccountName), InitiatorFolder = any(InitiatingProcessFolderPath) by Initiator | order by LastSeen desc | project Initiator, Count, FirstSeen, LastSeen, InitiatorFile, InitiatorId, InitiatorAccount, InitiatorFolder, AnyCmd, AnyInitiatorCmd | take 50

let tempRegex = @"(?i)(%temp%|\\Users\\[^\\]+\\AppData\\Local\\Temp|\\Windows\\Temp|\\bTemp\\b|\\btmp\\b)"; let procDeletes = DeviceProcessEvents | where isnotempty(ProcessCommandLine) // common recursive-delete indicators (cmd, powershell, unix-like) | where tolower(ProcessCommandLine) has_any ("rmdir","rd /s","rd /s /q","del /s","del /s /q","remove-item","-recurse","-force","rm -r","rm -rf","/s","/s /q") // limit to commands that reference temp locations, or processes that operate in temp folders | where ProcessCommandLine matches regex tempRegex or FolderPath matches regex tempRegex or InitiatingProcessCommandLine matches regex tempRegex | project TimeGenerated, DeviceName, AccountName, AccountDomain = AccountDomain, ProcessId, ProcessCreationTime, ProcessCommandLine, ProcessFileName = FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessCreationTime, InitiatingProcessParentFileName, InitiatingProcessParentId; let fileDeletes = DeviceFileEvents | where isnotempty(ActionType) | where ActionType has "Delete" or ActionType has "deleted" or ActionType has "FileDeleted" | where FolderPath matches regex tempRegex or PreviousFolderPath matches regex tempRegex | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain, ProcessId = InitiatingProcessId, ProcessCreationTime = InitiatingProcessCreationTime, ProcessCommandLine = InitiatingProcessCommandLine, ProcessFileName = FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessCreationTime, InitiatingProcessParentFileName = InitiatingProcessParentFileName, InitiatingProcessParentId = InitiatingProcessParentId; procDeletes | union fileDeletes | sort by TimeGenerated desc | take 500

let tempPaths = dynamic(['temp', 'C:\\Windows\\Temp', '%temp%', 'C:/Windows/Temp']); DeviceProcessEvents | where ProcessCommandLine has_any ('rmdir', 'del', 'remove-item', 'rd') | where ProcessCommandLine has_any ('/s', '/r', '-r', '-recurse', '/q') | where ProcessCommandLine has_any (tempPaths) | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName, DeviceId | union ( DeviceEvents | where ProcessCommandLine has_any ('rmdir', 'del', 'remove-item', 'rd') | where ProcessCommandLine has_any ('/s', '/r', '-r', '-recurse', '/q') | where ProcessCommandLine has_any (tempPaths) | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName, DeviceId ) | order by Timestamp desc

DeviceProcessEvents | where ProcessCommandLine != "" and isnotnull(ProcessCommandLine) // Narrow down to recursive delete commands | where ProcessCommandLine has_any ("rmdir /s", "rd /s", "del /s", "Remove-Item", "-Recurse") // Ensure the deletion target is under a temp directory | where tolower(ProcessCommandLine) has "temp" | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has_any ("rmdir", "rd", "del", "Remove-Item") and ProcessCommandLine has_any ("/s", "-Recurse") and tolower(ProcessCommandLine) has "temp" | project TimeGenerated, DeviceName, AccountDomain, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath

// --- Identify processes that executed a recursive delete inside a Temp folder let delete_verbs = dynamic(["rmdir","rd","del","erase","remove-item","rm"]); // deletion tools / verbs let recursion_flags = dynamic(["/s","/q","/purge","-recurse","-r","-rf","-force"]); // switches that imply recursion or force DeviceProcessEvents | where ProcessCommandLine has_any(delete_verbs) // must contain a delete verb | where ProcessCommandLine has_any(recursion_flags) // …and a recursive / force flag | where ProcessCommandLine contains "\\temp" // aimed at a Temp folder (typical Windows path) or ProcessCommandLine contains "/temp" // POSIX style path (WSL, Git, Cygwin, etc.) or ProcessCommandLine contains "%temp%" // Windows environment variable or ProcessCommandLine contains "$env:temp" // PowerShell variable | project TimeGenerated, DeviceName, Account = strcat(AccountDomain, "\\", AccountName), Executable = FileName, ProcessCommandLine, ParentProcess = InitiatingProcessFileName, ParentCommand = InitiatingProcessCommandLine, ProcessId, InitiatingProcessParentId, SHA256 // | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), ExecCount=count() by DeviceName, Executable, ProcessCommandLine, ParentProcess, Account, SHA256 | order by TimeGenerated desc

DeviceProcessEvents | where tolower(ProcessCommandLine) has "temp" and ( tolower(ProcessCommandLine) has "remove-item" and tolower(ProcessCommandLine) has "-recurse" or tolower(ProcessCommandLine) matches regex @"rmdir\s+/s" or tolower(ProcessCommandLine) matches regex @"del\s+/s" or tolower(ProcessCommandLine) matches regex @"rm\s+-r" ) | project TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine | sort by TimeGenerated desc