Base64 encoded Windows process command-lines (Normalized Process Events)

Back


Id	f8b3c49c-4087-499b-920f-0dcfaff0cbca
Rulename	Base64 encoded Windows process command-lines (Normalized Process Events)
Description	Identifies instances of a base64 encoded PE file header seen in the process command line parameter. To use this analytics rule, make sure you have deployed the ASIM normalization parsers
Severity	Medium
Tactics	Execution DefenseEvasion
Techniques	T1059 T1027 T1140
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml
Version	1.1.1
Arm template	f8b3c49c-4087-499b-920f-0dcfaff0cbca.json

KQL

imProcessCreate
  | where CommandLine contains "TVqQAAMAAAAEAAA"
  | where isnotempty(Process)
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
  | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc

YAML

queryFrequency: 1d
triggerOperator: gt
tactics:
- Execution
- DefenseEvasion
description: |
  'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'  
relevantTechniques:
- T1059
- T1027
- T1140
name: Base64 encoded Windows process command-lines (Normalized Process Events)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml
severity: Medium
triggerThreshold: 0
version: 1.1.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
tags:
- version: 1.0.0
  Id: ca67c83e-7fff-4127-a3e3-1af66d6d4cad
- Schema: ASIMProcessEvent
  SchemaVersion: 0.1.0
id: f8b3c49c-4087-499b-920f-0dcfaff0cbca
requiredDataConnectors: []
kind: Scheduled
query: |
  imProcessCreate
    | where CommandLine contains "TVqQAAMAAAAEAAA"
    | where isnotempty(Process)
    | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
    | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc  
queryPeriod: 1d

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f8b3c49c-4087-499b-920f-0dcfaff0cbca')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f8b3c49c-4087-499b-920f-0dcfaff0cbca')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Base64 encoded Windows process command-lines (Normalized Process Events)",
        "description": "'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "imProcessCreate\n  | where CommandLine contains \"TVqQAAMAAAAEAAA\"\n  | where isnotempty(Process)\n  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n  | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "DefenseEvasion"
        ],
        "techniques": [
          "T1059",
          "T1027",
          "T1140"
        ],
        "alertRuleTemplateName": "f8b3c49c-4087-499b-920f-0dcfaff0cbca",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml",
        "tags": [
          {
            "Id": "ca67c83e-7fff-4127-a3e3-1af66d6d4cad",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMProcessEvent",
            "SchemaVersion": "0.1.0"
          }
        ],
        "templateVersion": "1.1.1"
      }
    }
  ]
}