Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Base64 encoded Windows process command-lines Normalized Process Events

Base64 encoded Windows process command-lines Normalized Process Events

Back
Idf8b3c49c-4087-499b-920f-0dcfaff0cbca
RulenameBase64 encoded Windows process command-lines (Normalized Process Events)
DescriptionIdentifies instances of a base64 encoded PE file header seen in the process command line parameter.

To use this analytics rule, make sure you have deployed the ASIM normalization parsers
SeverityMedium
TacticsExecution
DefenseEvasion
TechniquesT1059
T1027
T1140
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml
Version1.1.4
Arm templatef8b3c49c-4087-499b-920f-0dcfaff0cbca.json
Deploy To Azure
imProcessCreate
| where CommandLine contains "TVqQAAMAAAAEAAA"
| where isnotempty(Process)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex

description: |
  'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'  
kind: Scheduled
tactics:
- Execution
- DefenseEvasion
requiredDataConnectors: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml
severity: Medium
name: Base64 encoded Windows process command-lines (Normalized Process Events)
metadata:
  support:
    tier: Community
  author:
    name: Yuval Naor
  categories:
    domains:
    - Security - Threat Protection
  source:
    kind: Community
triggerThreshold: 0
queryPeriod: 1d
query: |
  imProcessCreate
  | where CommandLine contains "TVqQAAMAAAAEAAA"
  | where isnotempty(Process)
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
  | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
  | project-away DomainIndex  
relevantTechniques:
- T1059
- T1027
- T1140
id: f8b3c49c-4087-499b-920f-0dcfaff0cbca
queryFrequency: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountNTDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: Dvc
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain
triggerOperator: gt
version: 1.1.4
tags:
- Id: ca67c83e-7fff-4127-a3e3-1af66d6d4cad
  version: 1.0.0
- Schema: ASIMProcessEvent
  SchemaVersion: 0.1.0