Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Windows host username encoded in base64 web request

Back
Id6e715730-82c0-496c-983b-7a20c4590bd9
RulenameWindows host username encoded in base64 web request
DescriptionThis detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.

This technique was seen usee by POLONIUM in their RunningRAT tool.
SeverityMedium
TacticsExfiltration
CommandAndControl
TechniquesT1041
T1071.001
Required data connectorsCheckPoint
Fortinet
MicrosoftThreatProtection
PaloAltoNetworks
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/B64UserInWebURIFromMDE.yaml
Version1.0.1
Arm template6e715730-82c0-496c-983b-7a20c4590bd9.json
Deploy To Azure
let accountLookback = 3d;
let requestLookback = 3d;
let extraction_regex = @"(?:\?|&)[a-zA-Z0-9\%]*=([a-zA-Z0-9\/\+\=]*)";
// Collect account names and base64 encode them
DeviceEvents
| where TimeGenerated > ago(accountLookback)
| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName
| where isnotempty(InitiatingProcessAccountName)
| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)
| join (
    // Collect requests and extract base64 parameters
    CommonSecurityLog
    | where TimeGenerated > ago(requestLookback)
    | where isnotempty(RequestURL)
    // Summarize early on the RequestURL
    | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL
    | extend base64_candidate = extract_all(extraction_regex, RequestURL)
    | mv-expand base64_candidate  to typeof(string)
) on $left.base64_user == $right.base64_candidate
| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName
id: 6e715730-82c0-496c-983b-7a20c4590bd9
name: Windows host username encoded in base64 web request
kind: Scheduled
requiredDataConnectors:
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/B64UserInWebURIFromMDE.yaml
tags:
- POLONIUM
description: |
  'This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.
  This technique was seen usee by POLONIUM in their RunningRAT tool.'  
relevantTechniques:
- T1041
- T1071.001
metadata:
  support:
    tier: Community
  source:
    kind: Community
  author:
    name: Thomas McElroy
  categories:
    domains:
    - Security - Others
queryPeriod: 1d
triggerOperator: gt
queryFrequency: 1d
query: |
  let accountLookback = 3d;
  let requestLookback = 3d;
  let extraction_regex = @"(?:\?|&)[a-zA-Z0-9\%]*=([a-zA-Z0-9\/\+\=]*)";
  // Collect account names and base64 encode them
  DeviceEvents
  | where TimeGenerated > ago(accountLookback)
  | summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName
  | where isnotempty(InitiatingProcessAccountName)
  | extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)
  | join (
      // Collect requests and extract base64 parameters
      CommonSecurityLog
      | where TimeGenerated > ago(requestLookback)
      | where isnotempty(RequestURL)
      // Summarize early on the RequestURL
      | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL
      | extend base64_candidate = extract_all(extraction_regex, RequestURL)
      | mv-expand base64_candidate  to typeof(string)
  ) on $left.base64_user == $right.base64_candidate
  | project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName  
version: 1.0.1
tactics:
- Exfiltration
- CommandAndControl
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: DeviceNames
  entityType: Host
- fieldMappings:
  - identifier: Url
    columnName: RequestURL
  entityType: URL
- fieldMappings:
  - identifier: Name
    columnName: UserName
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e715730-82c0-496c-983b-7a20c4590bd9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e715730-82c0-496c-983b-7a20c4590bd9')]",
      "properties": {
        "alertRuleTemplateName": "6e715730-82c0-496c-983b-7a20c4590bd9",
        "customDetails": null,
        "description": "'This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\nThis technique was seen usee by POLONIUM in their RunningRAT tool.'\n",
        "displayName": "Windows host username encoded in base64 web request",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceNames",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserName",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/B64UserInWebURIFromMDE.yaml",
        "query": "let accountLookback = 3d;\nlet requestLookback = 3d;\nlet extraction_regex = @\"(?:\\?|&)[a-zA-Z0-9\\%]*=([a-zA-Z0-9\\/\\+\\=]*)\";\n// Collect account names and base64 encode them\nDeviceEvents\n| where TimeGenerated > ago(accountLookback)\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\n| where isnotempty(InitiatingProcessAccountName)\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\n| join (\n    // Collect requests and extract base64 parameters\n    CommonSecurityLog\n    | where TimeGenerated > ago(requestLookback)\n    | where isnotempty(RequestURL)\n    // Summarize early on the RequestURL\n    | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\n    | extend base64_candidate = extract_all(extraction_regex, RequestURL)\n    | mv-expand base64_candidate  to typeof(string)\n) on $left.base64_user == $right.base64_candidate\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "tags": [
          "POLONIUM"
        ],
        "techniques": [
          "T1041",
          "T1071"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}