Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Windows host username encoded in base64 web request

Back
Id6e715730-82c0-496c-983b-7a20c4590bd9
RulenameWindows host username encoded in base64 web request
DescriptionThis detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.

This technique was seen usee by POLONIUM in their RunningRAT tool.
SeverityMedium
TacticsExfiltration
CommandAndControl
TechniquesT1041
T1071.001
Required data connectorsCheckPoint
Fortinet
MicrosoftThreatProtection
PaloAltoNetworks
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/B64UserInWebURIFromMDE.yaml
Version1.0.1
Arm template6e715730-82c0-496c-983b-7a20c4590bd9.json
Deploy To Azure
let accountLookback = 3d;
let requestLookback = 3d;
let extraction_regex = @"(?:\?|&)[a-zA-Z0-9\%]*=([a-zA-Z0-9\/\+\=]*)";
// Collect account names and base64 encode them
DeviceEvents
| where TimeGenerated > ago(accountLookback)
| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName
| where isnotempty(InitiatingProcessAccountName)
| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)
| join (
    // Collect requests and extract base64 parameters
    CommonSecurityLog
    | where TimeGenerated > ago(requestLookback)
    | where isnotempty(RequestURL)
    // Summarize early on the RequestURL
    | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL
    | extend base64_candidate = extract_all(extraction_regex, RequestURL)
    | mv-expand base64_candidate  to typeof(string)
) on $left.base64_user == $right.base64_candidate
| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName
queryFrequency: 1d
description: |
  'This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.
  This technique was seen usee by POLONIUM in their RunningRAT tool.'  
severity: Medium
version: 1.0.1
relevantTechniques:
- T1041
- T1071.001
name: Windows host username encoded in base64 web request
triggerThreshold: 0
kind: Scheduled
query: |
  let accountLookback = 3d;
  let requestLookback = 3d;
  let extraction_regex = @"(?:\?|&)[a-zA-Z0-9\%]*=([a-zA-Z0-9\/\+\=]*)";
  // Collect account names and base64 encode them
  DeviceEvents
  | where TimeGenerated > ago(accountLookback)
  | summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName
  | where isnotempty(InitiatingProcessAccountName)
  | extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)
  | join (
      // Collect requests and extract base64 parameters
      CommonSecurityLog
      | where TimeGenerated > ago(requestLookback)
      | where isnotempty(RequestURL)
      // Summarize early on the RequestURL
      | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL
      | extend base64_candidate = extract_all(extraction_regex, RequestURL)
      | mv-expand base64_candidate  to typeof(string)
  ) on $left.base64_user == $right.base64_candidate
  | project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/B64UserInWebURIFromMDE.yaml
requiredDataConnectors:
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
metadata:
  source:
    kind: Community
  author:
    name: Thomas McElroy
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
tactics:
- Exfiltration
- CommandAndControl
tags:
- POLONIUM
id: 6e715730-82c0-496c-983b-7a20c4590bd9
queryPeriod: 1d
entityMappings:
- fieldMappings:
  - columnName: DeviceNames
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: RequestURL
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: UserName
    identifier: Name
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e715730-82c0-496c-983b-7a20c4590bd9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e715730-82c0-496c-983b-7a20c4590bd9')]",
      "properties": {
        "alertRuleTemplateName": "6e715730-82c0-496c-983b-7a20c4590bd9",
        "customDetails": null,
        "description": "'This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\nThis technique was seen usee by POLONIUM in their RunningRAT tool.'\n",
        "displayName": "Windows host username encoded in base64 web request",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceNames",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserName",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/B64UserInWebURIFromMDE.yaml",
        "query": "let accountLookback = 3d;\nlet requestLookback = 3d;\nlet extraction_regex = @\"(?:\\?|&)[a-zA-Z0-9\\%]*=([a-zA-Z0-9\\/\\+\\=]*)\";\n// Collect account names and base64 encode them\nDeviceEvents\n| where TimeGenerated > ago(accountLookback)\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\n| where isnotempty(InitiatingProcessAccountName)\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\n| join (\n    // Collect requests and extract base64 parameters\n    CommonSecurityLog\n    | where TimeGenerated > ago(requestLookback)\n    | where isnotempty(RequestURL)\n    // Summarize early on the RequestURL\n    | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\n    | extend base64_candidate = extract_all(extraction_regex, RequestURL)\n    | mv-expand base64_candidate  to typeof(string)\n) on $left.base64_user == $right.base64_candidate\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [
          "T1071.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "tags": [
          "POLONIUM"
        ],
        "techniques": [
          "T1041",
          "T1071"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}