Process Creation with Suspicious CommandLine Arguments

_ASim_ProcessEvent
| where EventType == 'ProcessCreated'
| extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, " "), 1, -1), " ")
| where strlen(CommandLineArgs) > 0
| where CommandLineArgs contains "base64"
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')

name: Process Creation with Suspicious CommandLine Arguments
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CrowdStrikeFalconEndpointProtection
- dataTypes:
  - SecurityAlert
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SentinelOne_CL
  connectorId: SentinelOne
- dataTypes:
  - CarbonBlackEvents_CL
  connectorId: VMwareCarbonBlack
- dataTypes:
  - CiscoSecureEndpoint_CL
  connectorId: CiscoSecureEndpoint
- dataTypes:
  - TMApexOneEvent
  connectorId: TrendMicroApexOne
- dataTypes:
  - TMApexOneEvent
  connectorId: TrendMicroApexOneAma
tags:
- Schema: _ASim_ProcessEvent
  SchemaVersion: 0.1.4
description: |
    This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.
queryPeriod: 1h
severity: Medium
alertDetailsOverride:
  alertDisplayNameFormat: Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})
  alertDescriptionFormat: "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created."
id: fdbcc0eb-44fb-467e-a51d-a91df0780a81
kind: Scheduled
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
query: |
  _ASim_ProcessEvent
  | where EventType == 'ProcessCreated'
  | extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, " "), 1, -1), " ")
  | where strlen(CommandLineArgs) > 0
  | where CommandLineArgs contains "base64"
  | project
  TimeGenerated,
  DvcHostname,
  DvcIpAddr,
  DvcDomain,
  TargetUsername,
  TargetUsernameType,
  TargetProcessName,
  TargetProcessId,
  CommandLine
  | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
  | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
  | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
  | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')  
version: 1.0.1
relevantTechniques:
- T1059
- T1027
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml
queryFrequency: 1h
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: DvcHostname
  - identifier: DnsDomain
    columnName: DvcDomain
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: DvcIpAddr
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: Username
  - identifier: UPNSuffix
    columnName: UPNSuffix
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Account
- fieldMappings:
  - identifier: ProcessId
    columnName: TargetProcessId
  - identifier: CommandLine
    columnName: CommandLine
  entityType: Process
tactics:
- Execution
- DefenseEvasion