Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Process Creation with Suspicious CommandLine Arguments

Back
Idfdbcc0eb-44fb-467e-a51d-a91df0780a81
RulenameProcess Creation with Suspicious CommandLine Arguments
DescriptionThis analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.
SeverityMedium
TacticsExecution
DefenseEvasion
TechniquesT1059
T1027
Required data connectorsCiscoSecureEndpoint
CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
TrendMicroApexOne
TrendMicroApexOneAma
VMwareCarbonBlack
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml
Version1.0.0
Arm templatefdbcc0eb-44fb-467e-a51d-a91df0780a81.json
Deploy To Azure
_ASim_ProcessEvent
| where EventType == 'ProcessCreated'
| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, " "), 1, -1))
| where strlen(CommandLineArgs) > 0
| mv-apply CommandLineArgs on 
    (
    where CommandLineArgs contains "base64"
    )
| project
    TimeGenerated,
    DvcHostname,
    DvcIpAddr,
    DvcDomain,
    TargetUsername,
    TargetUsernameType,
    TargetProcessName,
    TargetProcessId,
    CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
alertDetailsOverride:
  alertDisplayNameFormat: Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})
  alertDescriptionFormat: "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created."
eventGroupingSettings:
  aggregationKind: AlertPerResult
tags:
- Schema: _ASim_ProcessEvent
  SchemaVersion: 0.1.4
status: Available
triggerThreshold: 0
relevantTechniques:
- T1059
- T1027
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CrowdStrikeFalconEndpointProtection
- dataTypes:
  - SecurityAlert
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SentinelOne_CL
  connectorId: SentinelOne
- dataTypes:
  - CarbonBlackEvents_CL
  connectorId: VMwareCarbonBlack
- dataTypes:
  - CiscoSecureEndpoint_CL
  connectorId: CiscoSecureEndpoint
- dataTypes:
  - TMApexOneEvent
  connectorId: TrendMicroApexOne
- dataTypes:
  - TMApexOneEvent
  connectorId: TrendMicroApexOneAma
queryPeriod: 1h
tactics:
- Execution
- DefenseEvasion
severity: Medium
triggerOperator: gt
description: |
    This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.
query: |
  _ASim_ProcessEvent
  | where EventType == 'ProcessCreated'
  | extend CommandLineArgs = todynamic(array_slice(split(CommandLine, " "), 1, -1))
  | where strlen(CommandLineArgs) > 0
  | mv-apply CommandLineArgs on 
      (
      where CommandLineArgs contains "base64"
      )
  | project
      TimeGenerated,
      DvcHostname,
      DvcIpAddr,
      DvcDomain,
      TargetUsername,
      TargetUsernameType,
      TargetProcessName,
      TargetProcessId,
      CommandLine
  | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
  | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
  | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
  | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')  
name: Process Creation with Suspicious CommandLine Arguments
version: 1.0.0
kind: Scheduled
id: fdbcc0eb-44fb-467e-a51d-a91df0780a81
queryFrequency: 1h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DvcHostname
    identifier: HostName
  - columnName: DvcDomain
    identifier: DnsDomain
  - columnName: NTDomain
    identifier: NTDomain
- entityType: IP
  fieldMappings:
  - columnName: DvcIpAddr
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: Username
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  - columnName: NTDomain
    identifier: NTDomain
- entityType: Process
  fieldMappings:
  - columnName: TargetProcessId
    identifier: ProcessId
  - columnName: CommandLine
    identifier: CommandLine
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fdbcc0eb-44fb-467e-a51d-a91df0780a81')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fdbcc0eb-44fb-467e-a51d-a91df0780a81')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created.",
          "alertDisplayNameFormat": "Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})"
        },
        "alertRuleTemplateName": "fdbcc0eb-44fb-467e-a51d-a91df0780a81",
        "customDetails": null,
        "description": "This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.\n",
        "displayName": "Process Creation with Suspicious CommandLine Arguments",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DvcHostname",
                "identifier": "HostName"
              },
              {
                "columnName": "DvcDomain",
                "identifier": "DnsDomain"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DvcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Username",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "TargetProcessId",
                "identifier": "ProcessId"
              },
              {
                "columnName": "CommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml",
        "query": "_ASim_ProcessEvent\n| where EventType == 'ProcessCreated'\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\n| where strlen(CommandLineArgs) > 0\n| mv-apply CommandLineArgs on \n    (\n    where CommandLineArgs contains \"base64\"\n    )\n| project\n    TimeGenerated,\n    DvcHostname,\n    DvcIpAddr,\n    DvcDomain,\n    TargetUsername,\n    TargetUsernameType,\n    TargetProcessName,\n    TargetProcessId,\n    CommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[1]), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[0]), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Execution"
        ],
        "tags": [
          {
            "Schema": "_ASim_ProcessEvent",
            "SchemaVersion": "0.1.4"
          }
        ],
        "techniques": [
          "T1027",
          "T1059"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}