Process Creation with Suspicious CommandLine Arguments

_ASim_ProcessEvent
| where EventType == 'ProcessCreated'
| extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, " "), 1, -1), " ")
| where strlen(CommandLineArgs) > 0
| where CommandLineArgs contains "base64"
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')

relevantTechniques:
- T1059
- T1027
severity: Medium
queryFrequency: 1h
triggerOperator: gt
name: Process Creation with Suspicious CommandLine Arguments
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - SecurityAlert
- connectorId: SentinelOne
  dataTypes:
  - SentinelOne_CL
- connectorId: VMwareCarbonBlack
  dataTypes:
  - CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
  dataTypes:
  - TMApexOneEvent
- connectorId: TrendMicroApexOneAma
  dataTypes:
  - TMApexOneEvent
triggerThreshold: 0
tags:
- Schema: _ASim_ProcessEvent
  SchemaVersion: 0.1.4
tactics:
- Execution
- DefenseEvasion
id: fdbcc0eb-44fb-467e-a51d-a91df0780a81
entityMappings:
- fieldMappings:
  - columnName: DvcHostname
    identifier: HostName
  - columnName: DvcDomain
    identifier: DnsDomain
  - columnName: NTDomain
    identifier: NTDomain
  entityType: Host
- fieldMappings:
  - columnName: DvcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Username
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  - columnName: NTDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: TargetProcessId
    identifier: ProcessId
  - columnName: CommandLine
    identifier: CommandLine
  entityType: Process
kind: Scheduled
alertDetailsOverride:
  alertDescriptionFormat: "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created."
  alertDisplayNameFormat: Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})
status: Available
description: |
    This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.
query: |
  _ASim_ProcessEvent
  | where EventType == 'ProcessCreated'
  | extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, " "), 1, -1), " ")
  | where strlen(CommandLineArgs) > 0
  | where CommandLineArgs contains "base64"
  | project
  TimeGenerated,
  DvcHostname,
  DvcIpAddr,
  DvcDomain,
  TargetUsername,
  TargetUsernameType,
  TargetProcessName,
  TargetProcessId,
  CommandLine
  | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
  | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
  | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
  | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')  
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 1h