Process Creation with Suspicious CommandLine Arguments

_ASim_ProcessEvent
| where EventType == 'ProcessCreated'
| extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, " "), 1, -1), " ")
| where strlen(CommandLineArgs) > 0
| where CommandLineArgs contains "base64"
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')

triggerThreshold: 0
status: Available
name: Process Creation with Suspicious CommandLine Arguments
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml
query: |
  _ASim_ProcessEvent
  | where EventType == 'ProcessCreated'
  | extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, " "), 1, -1), " ")
  | where strlen(CommandLineArgs) > 0
  | where CommandLineArgs contains "base64"
  | project
  TimeGenerated,
  DvcHostname,
  DvcIpAddr,
  DvcDomain,
  TargetUsername,
  TargetUsernameType,
  TargetProcessName,
  TargetProcessId,
  CommandLine
  | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
  | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
  | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
  | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')  
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: DvcHostname
  - identifier: DnsDomain
    columnName: DvcDomain
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: DvcIpAddr
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: Username
  - identifier: UPNSuffix
    columnName: UPNSuffix
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Account
- fieldMappings:
  - identifier: ProcessId
    columnName: TargetProcessId
  - identifier: CommandLine
    columnName: CommandLine
  entityType: Process
id: fdbcc0eb-44fb-467e-a51d-a91df0780a81
queryPeriod: 1h
severity: Medium
version: 1.0.1
kind: Scheduled
tags:
- SchemaVersion: 0.1.4
  Schema: _ASim_ProcessEvent
triggerOperator: gt
tactics:
- Execution
- DefenseEvasion
queryFrequency: 1h
description: |
    This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - SecurityAlert
- connectorId: SentinelOne
  dataTypes:
  - SentinelOne_CL
- connectorId: VMwareCarbonBlack
  dataTypes:
  - CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
  dataTypes:
  - TMApexOneEvent
- connectorId: TrendMicroApexOneAma
  dataTypes:
  - TMApexOneEvent
alertDetailsOverride:
  alertDisplayNameFormat: Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})
  alertDescriptionFormat: "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created."
relevantTechniques:
- T1059
- T1027