Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Base64 encoded Windows process command-lines

Back
Idca67c83e-7fff-4127-a3e3-1af66d6d4cad
RulenameBase64 encoded Windows process command-lines
DescriptionIdentifies instances of a base64 encoded PE file header seen in the process command line parameter.
SeverityMedium
TacticsExecution
DefenseEvasion
TechniquesT1059
T1027
T1140
Required data connectorsSecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/base64_encoded_pefile.yaml
Version1.1.2
Arm templateca67c83e-7fff-4127-a3e3-1af66d6d4cad.json
Deploy To Azure
let ProcessCreationEvents=() {
let processEvents=(union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where isnotempty(CommandLine)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,
FileName = Process, CommandLine, ParentProcessName
),
(WindowsEvent
| where EventID==4688
| where EventData has "TVqQAAMAAAAEAAA"
| extend CommandLine = tostring(EventData.CommandLine)
| where isnotempty(CommandLine)
| extend ParentProcessName = tostring(EventData.ParentProcessName)
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Process=tostring(split(NewProcessName, '\\')[-1])
| extend SubjectUserName = tostring(EventData.SubjectUserName)
| extend SubjectDomainName = tostring(EventData.SubjectDomainName)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,
FileName = Process, CommandLine, ParentProcessName));
processEvents};
ProcessCreationEvents
| where CommandLine contains "TVqQAAMAAAAEAAA"
| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer
tactics:
- Execution
- DefenseEvasion
severity: Medium
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvents
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
triggerOperator: gt
query: |
  let ProcessCreationEvents=() {
  let processEvents=(union isfuzzy=true
  (SecurityEvent
  | where EventID==4688
  | where isnotempty(CommandLine)
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,
  FileName = Process, CommandLine, ParentProcessName
  ),
  (WindowsEvent
  | where EventID==4688
  | where EventData has "TVqQAAMAAAAEAAA"
  | extend CommandLine = tostring(EventData.CommandLine)
  | where isnotempty(CommandLine)
  | extend ParentProcessName = tostring(EventData.ParentProcessName)
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Process=tostring(split(NewProcessName, '\\')[-1])
  | extend SubjectUserName = tostring(EventData.SubjectUserName)
  | extend SubjectDomainName = tostring(EventData.SubjectDomainName)
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,
  FileName = Process, CommandLine, ParentProcessName));
  processEvents};
  ProcessCreationEvents
  | where CommandLine contains "TVqQAAMAAAAEAAA"
  | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer  
triggerThreshold: 0
name: Base64 encoded Windows process command-lines
kind: Scheduled
version: 1.1.2
relevantTechniques:
- T1059
- T1027
- T1140
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/base64_encoded_pefile.yaml
description: |
    'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.'
status: Available
queryFrequency: 1d
queryPeriod: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
id: ca67c83e-7fff-4127-a3e3-1af66d6d4cad
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ca67c83e-7fff-4127-a3e3-1af66d6d4cad')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ca67c83e-7fff-4127-a3e3-1af66d6d4cad')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Base64 encoded Windows process command-lines",
        "description": "'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let ProcessCreationEvents=() {\nlet processEvents=(union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\nFileName = Process, CommandLine, ParentProcessName\n),\n(WindowsEvent\n| where EventID==4688\n| where EventData has \"TVqQAAMAAAAEAAA\"\n| extend CommandLine = tostring(EventData.CommandLine)\n| where isnotempty(CommandLine)\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend Process=tostring(split(NewProcessName, '\\\\')[-1])\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\nFileName = Process, CommandLine, ParentProcessName));\nprocessEvents};\nProcessCreationEvents\n| where CommandLine contains \"TVqQAAMAAAAEAAA\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "DefenseEvasion"
        ],
        "techniques": [
          "T1059",
          "T1027",
          "T1140"
        ],
        "alertRuleTemplateName": "ca67c83e-7fff-4127-a3e3-1af66d6d4cad",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Host"
          }
        ],
        "status": "Available",
        "templateVersion": "1.1.2",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/base64_encoded_pefile.yaml"
      }
    }
  ]
}