Base64 encoded Windows process command-lines (Normalized Process Events)

Back


Id	f8b3c49c-4087-499b-920f-0dcfaff0cbca
Rulename	Base64 encoded Windows process command-lines (Normalized Process Events)
Description	Identifies instances of a base64 encoded PE file header seen in the process command line parameter. To use this analytics rule, make sure you have deployed the ASIM normalization parsers
Severity	Medium
Tactics	Execution DefenseEvasion
Techniques	T1059 T1027 T1140
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml
Version	1.1.2
Arm template	f8b3c49c-4087-499b-920f-0dcfaff0cbca.json

KQL

imProcessCreate
  | where CommandLine contains "TVqQAAMAAAAEAAA"
  | where isnotempty(Process)
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
  | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc

YAML

metadata:
  author:
    name: Yuval Naor
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Threat Protection
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml
description: |
  'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'  
tags:
- Id: ca67c83e-7fff-4127-a3e3-1af66d6d4cad
  version: 1.0.0
- SchemaVersion: 0.1.0
  Schema: ASIMProcessEvent
triggerOperator: gt
queryPeriod: 1d
requiredDataConnectors: []
queryFrequency: 1d
triggerThreshold: 0
tactics:
- Execution
- DefenseEvasion
query: |
  imProcessCreate
    | where CommandLine contains "TVqQAAMAAAAEAAA"
    | where isnotempty(Process)
    | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
    | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc  
kind: Scheduled
relevantTechniques:
- T1059
- T1027
- T1140
version: 1.1.2
id: f8b3c49c-4087-499b-920f-0dcfaff0cbca
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
name: Base64 encoded Windows process command-lines (Normalized Process Events)

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f8b3c49c-4087-499b-920f-0dcfaff0cbca')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f8b3c49c-4087-499b-920f-0dcfaff0cbca')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Base64 encoded Windows process command-lines (Normalized Process Events)",
        "description": "'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "imProcessCreate\n  | where CommandLine contains \"TVqQAAMAAAAEAAA\"\n  | where isnotempty(Process)\n  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n  | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "DefenseEvasion"
        ],
        "techniques": [
          "T1059",
          "T1027",
          "T1140"
        ],
        "alertRuleTemplateName": "f8b3c49c-4087-499b-920f-0dcfaff0cbca",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml",
        "tags": [
          {
            "Id": "ca67c83e-7fff-4127-a3e3-1af66d6d4cad",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMProcessEvent",
            "SchemaVersion": "0.1.0"
          }
        ],
        "templateVersion": "1.1.2"
      }
    }
  ]
}