Process Creation with Suspicious CommandLine Arguments

_ASim_ProcessEvent
| where EventType == 'ProcessCreated'
| extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, " "), 1, -1), " ")
| where strlen(CommandLineArgs) > 0
| where CommandLineArgs contains "base64"
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')

entityMappings:
- fieldMappings:
  - columnName: DvcHostname
    identifier: HostName
  - columnName: DvcDomain
    identifier: DnsDomain
  - columnName: NTDomain
    identifier: NTDomain
  entityType: Host
- fieldMappings:
  - columnName: DvcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Username
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  - columnName: NTDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: TargetProcessId
    identifier: ProcessId
  - columnName: CommandLine
    identifier: CommandLine
  entityType: Process
name: Process Creation with Suspicious CommandLine Arguments
triggerThreshold: 0
alertDetailsOverride:
  alertDisplayNameFormat: Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})
  alertDescriptionFormat: "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created."
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml
id: fdbcc0eb-44fb-467e-a51d-a91df0780a81
kind: Scheduled
status: Available
queryFrequency: 1h
severity: Medium
description: |
    This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.
query: |
  _ASim_ProcessEvent
  | where EventType == 'ProcessCreated'
  | extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, " "), 1, -1), " ")
  | where strlen(CommandLineArgs) > 0
  | where CommandLineArgs contains "base64"
  | project
  TimeGenerated,
  DvcHostname,
  DvcIpAddr,
  DvcDomain,
  TargetUsername,
  TargetUsernameType,
  TargetProcessName,
  TargetProcessId,
  CommandLine
  | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
  | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
  | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
  | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')  
version: 1.0.1
tactics:
- Execution
- DefenseEvasion
tags:
- SchemaVersion: 0.1.4
  Schema: _ASim_ProcessEvent
queryPeriod: 1h
relevantTechniques:
- T1059
- T1027
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CrowdStrikeFalconEndpointProtection
- dataTypes:
  - SecurityAlert
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SentinelOne_CL
  connectorId: SentinelOne
- dataTypes:
  - CarbonBlackEvents_CL
  connectorId: VMwareCarbonBlack
- dataTypes:
  - CiscoSecureEndpoint_CL
  connectorId: CiscoSecureEndpoint
- dataTypes:
  - TMApexOneEvent
  connectorId: TrendMicroApexOne
- dataTypes:
  - TMApexOneEvent
  connectorId: TrendMicroApexOneAma