NRT Process executed from binary hidden in Base64 encoded file
| Id | 7ad4c32b-d0d2-411c-a0e8-b557afa12fce |
| Rulename | NRT Process executed from binary hidden in Base64 encoded file |
| Description | Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. The third one is looking for Ruby decoding base64. |
| Severity | Medium |
| Tactics | Execution DefenseEvasion |
| Techniques | T1059 T1027 T1140 |
| Required data connectors | SecurityEvents WindowsSecurityEvents |
| Kind | NRT |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NRT_execute_base64_decodedpayload.yaml |
| Version | 1.0.2 |
| Arm template | 7ad4c32b-d0d2-411c-a0e8-b557afa12fce.json |
SecurityEvent
| where EventID==4688
| where isnotempty(CommandLine)
| project TimeGenerated, Computer, AccountName = SubjectUserName, AccountNTDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName, SubjectAccount
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| where CommandLine contains ".decode('base64')"
or CommandLine contains "base64 --decode"
or CommandLine contains ".decode64("
relevantTechniques:
- T1059
- T1027
- T1140
name: NRT Process executed from binary hidden in Base64 encoded file
requiredDataConnectors:
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
- dataTypes:
- SecurityEvent
connectorId: WindowsSecurityEvents
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: SubjectAccount
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountNTDomain
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
entityType: Host
query: |
SecurityEvent
| where EventID==4688
| where isnotempty(CommandLine)
| project TimeGenerated, Computer, AccountName = SubjectUserName, AccountNTDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName, SubjectAccount
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| where CommandLine contains ".decode('base64')"
or CommandLine contains "base64 --decode"
or CommandLine contains ".decode64("
id: 7ad4c32b-d0d2-411c-a0e8-b557afa12fce
tactics:
- Execution
- DefenseEvasion
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NRT_execute_base64_decodedpayload.yaml
kind: NRT
severity: Medium
status: Available
description: |
'Encoding malicious software is a technique used to obfuscate files from detection.
The first CommandLine component is looking for Python decoding base64.
The second CommandLine component is looking for Bash/sh command line base64 decoding.
The third one is looking for Ruby decoding base64.'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ad4c32b-d0d2-411c-a0e8-b557afa12fce')]",
"kind": "NRT",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ad4c32b-d0d2-411c-a0e8-b557afa12fce')]",
"properties": {
"alertRuleTemplateName": "7ad4c32b-d0d2-411c-a0e8-b557afa12fce",
"customDetails": null,
"description": "'Encoding malicious software is a technique used to obfuscate files from detection.\nThe first CommandLine component is looking for Python decoding base64.\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\nThe third one is looking for Ruby decoding base64.'\n",
"displayName": "NRT Process executed from binary hidden in Base64 encoded file",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "SubjectAccount",
"identifier": "FullName"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountNTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Computer",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "HostNameDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NRT_execute_base64_decodedpayload.yaml",
"query": "SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, AccountName = SubjectUserName, AccountNTDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName, SubjectAccount\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| where CommandLine contains \".decode('base64')\"\n or CommandLine contains \"base64 --decode\"\n or CommandLine contains \".decode64(\"\n",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Execution"
],
"techniques": [
"T1027",
"T1059",
"T1140"
],
"templateVersion": "1.0.2"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}