Base64 encoded Windows process command-lines (Normalized Process Events)

Hunt Hypothesis

Adversaries may encode command-line arguments in Base64 to obfuscate malicious payloads or evade basic detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential process injection or execution of hidden malicious code.

KQL Query

imProcessCreate
| where CommandLine contains "TVqQAAMAAAAEAAA"
| where isnotempty(Process)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex

Analytic Rule Definition

id: f8b3c49c-4087-499b-920f-0dcfaff0cbca
name: Base64 encoded Windows process command-lines (Normalized Process Events)
description: |
  'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution
  - DefenseEvasion
relevantTechniques:
  - T1059
  - T1027
  - T1140
tags:
  - Id: ca67c83e-7fff-4127-a3e3-1af66d6d4cad
    version: 1.0.0
  - Schema: ASIMProcessEvent
    SchemaVersion: 0.1.0

query: |
  imProcessCreate
  | where CommandLine contains "TVqQAAMAAAAEAAA"
  | where isnotempty(Process)
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
  | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
  | project-away DomainIndex
  
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: ActorUsername
      - identifier: Name
        columnName: AccountName
      - identifier: NTDomain
        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Dvc
      - identifier: HostName
        columnName: HostName
      - identifier: DnsDomain
        columnName: HostNameDomain
version: 1.1.4
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Yuval Naor
    support:
        tier: Community
    categories:
        domains: [ "Security - Threat Protection" ]

Required Data Sources

MITRE ATT&CK Context

• Tactic: Execution
• Tactic: DefenseEvasion
• Tactic: Defense Evasion
• Technique: T1059 — Command and Scripting Interpreter

  Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common featu

• Technique: T1027 — Obfuscated Files or Information

  Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavi

• Technique: T1140 — Deobfuscate/Decode Files or Information

  Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deob

Validation (Atomic Red Team)

• T1059 — Command and Scripting Interpreter
• T1027 — Obfuscated Files or Information
• T1140 — Deobfuscate/Decode Files or Information

References

• Source Query

False Positive Guidance

• Scenario: Scheduled Task Running a Base64 Encoded Script
  Description: A legitimate scheduled task is configured to run a base64 encoded PowerShell script for automation purposes.
  Filter/Exclusion: process.command_line NOT contains "powershell.exe -encodedcommand" or process.parent_process_name == "schtasks.exe"

• Scenario: Admin Using Base64 to Obfuscate Commands in PowerShell
  Description: An administrator is using base64 encoding to obfuscate a PowerShell command for security reasons (e.g., to avoid logging).
  Filter/Exclusion: process.user == "Administrator" or process.parent_process_name == "powershell.exe"

• Scenario: CI/CD Pipeline Executing Encoded Commands
  Description: A continuous integration/continuous deployment (CI/CD) pipeline is using base64 encoding to pass secure or obfuscated commands to a build agent.
  Filter/Exclusion: process.parent_process_name == "jenkins.exe" or process.parent_process_name == "azure-pipelines.exe"

• Scenario: System Update or Patching Tool Using Base64 for Payload
  Description: A system update tool or patching utility is using base64 encoding to pass encrypted or obfuscated payloads during an update process.
  Filter/Exclusion: process.parent_process_name == "wsusutil.exe" or process.parent_process_name == "patch.exe"

• Scenario: Log Management Tool Encoding Log Data
  Description: A log management tool is encoding log data using base64 for transmission or storage purposes.
  Filter/Exclusion: process.parent_process_name == "logstash.exe" or process.parent_process_name == "splunkforwarder.exe"