Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Base64 encoded Windows process command-lines (Normalized Process Events)

Back
Idf8b3c49c-4087-499b-920f-0dcfaff0cbca
RulenameBase64 encoded Windows process command-lines (Normalized Process Events)
DescriptionIdentifies instances of a base64 encoded PE file header seen in the process command line parameter.

To use this analytics rule, make sure you have deployed the ASIM normalization parsers
SeverityMedium
TacticsExecution
DefenseEvasion
TechniquesT1059
T1027
T1140
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml
Version1.1.2
Arm templatef8b3c49c-4087-499b-920f-0dcfaff0cbca.json
Deploy To Azure
imProcessCreate
  | where CommandLine contains "TVqQAAMAAAAEAAA"
  | where isnotempty(Process)
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
  | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc
metadata:
  author:
    name: Yuval Naor
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Threat Protection
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml
description: |
  'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'  
tags:
- Id: ca67c83e-7fff-4127-a3e3-1af66d6d4cad
  version: 1.0.0
- SchemaVersion: 0.1.0
  Schema: ASIMProcessEvent
triggerOperator: gt
queryPeriod: 1d
requiredDataConnectors: []
queryFrequency: 1d
triggerThreshold: 0
tactics:
- Execution
- DefenseEvasion
query: |
  imProcessCreate
    | where CommandLine contains "TVqQAAMAAAAEAAA"
    | where isnotempty(Process)
    | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
    | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc  
kind: Scheduled
relevantTechniques:
- T1059
- T1027
- T1140
version: 1.1.2
id: f8b3c49c-4087-499b-920f-0dcfaff0cbca
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
name: Base64 encoded Windows process command-lines (Normalized Process Events)
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f8b3c49c-4087-499b-920f-0dcfaff0cbca')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f8b3c49c-4087-499b-920f-0dcfaff0cbca')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Base64 encoded Windows process command-lines (Normalized Process Events)",
        "description": "'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "imProcessCreate\n  | where CommandLine contains \"TVqQAAMAAAAEAAA\"\n  | where isnotempty(Process)\n  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n  | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "DefenseEvasion"
        ],
        "techniques": [
          "T1059",
          "T1027",
          "T1140"
        ],
        "alertRuleTemplateName": "f8b3c49c-4087-499b-920f-0dcfaff0cbca",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml",
        "tags": [
          {
            "Id": "ca67c83e-7fff-4127-a3e3-1af66d6d4cad",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMProcessEvent",
            "SchemaVersion": "0.1.0"
          }
        ],
        "templateVersion": "1.1.2"
      }
    }
  ]
}