Base64 encoded Windows process command-lines (Normalized Process Events)

Hunt Hypothesis

‘Identifies instances of a base64 encoded PE file header seen in the process command line parameter. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://ak

KQL Query

imProcessCreate
| where CommandLine contains "TVqQAAMAAAAEAAA"
| where isnotempty(Process)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex

Analytic Rule Definition

id: f8b3c49c-4087-499b-920f-0dcfaff0cbca
name: Base64 encoded Windows process command-lines (Normalized Process Events)
description: |
  'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution
  - DefenseEvasion
relevantTechniques:
  - T1059
  - T1027
  - T1140
tags:
  - Id: ca67c83e-7fff-4127-a3e3-1af66d6d4cad
    version: 1.0.0
  - Schema: ASIMProcessEvent
    SchemaVersion: 0.1.0

query: |
  imProcessCreate
  | where CommandLine contains "TVqQAAMAAAAEAAA"
  | where isnotempty(Process)
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
  | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
  | project-away DomainIndex
  
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: ActorUsername
      - identifier: Name
        columnName: AccountName
      - identifier: NTDomain
        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Dvc
      - identifier: HostName
        columnName: HostName
      - identifier: DnsDomain
        columnName: HostNameDomain
version: 1.1.4
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Yuval Naor
    support:
        tier: Community
    categories:
        domains: [ "Security - Threat Protection" ]

Required Data Sources

MITRE ATT&CK Context

• Tactic: Execution
• Tactic: DefenseEvasion
• Tactic: Defense Evasion
• Technique: T1059 — Command and Scripting Interpreter

  Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common featu

• Technique: T1027 — Obfuscated Files or Information

  Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavi

• Technique: T1140 — Deobfuscate/Decode Files or Information

  Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deob

Validation (Atomic Red Team)

• T1059 — Command and Scripting Interpreter
• T1027 — Obfuscated Files or Information
• T1140 — Deobfuscate/Decode Files or Information

References

• Source Query