Adversaries may encode Windows host usernames in base64 within web requests to evade detection and exfiltrate credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft and lateral movement tactics used by advanced threats like POLONIUM.
KQL Query
let accountLookback = 3d;
let requestLookback = 3d;
let extraction_regex = @"(?:\?|&)[a-zA-Z0-9\%]*=([a-zA-Z0-9\/\+\=]*)";
// Collect account names and base64 encode them
DeviceEvents
| where TimeGenerated > ago(accountLookback)
| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName
| where isnotempty(InitiatingProcessAccountName)
| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)
| join (
// Collect requests and extract base64 parameters
CommonSecurityLog
| where TimeGenerated > ago(requestLookback)
| where isnotempty(RequestURL)
// Summarize early on the RequestURL
| summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL
| extend base64_candidate = extract_all(extraction_regex, RequestURL)
| mv-expand base64_candidate to typeof(string)
) on $left.base64_user == $right.base64_candidate
| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName
id: 6e715730-82c0-496c-983b-7a20c4590bd9
name: Windows host username encoded in base64 web request
description: |
'This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.
This technique was seen usee by POLONIUM in their RunningRAT tool.'
severity: Medium
requiredDataConnectors:
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
- CommandAndControl
relevantTechniques:
- T1041
- T1071.001
tags:
- POLONIUM
query: |
let accountLookback = 3d;
let requestLookback = 3d;
let extraction_regex = @"(?:\?|&)[a-zA-Z0-9\%]*=([a-zA-Z0-9\/\+\=]*)";
// Collect account names and base64 encode them
DeviceEvents
| where TimeGenerated > ago(accountLookback)
| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName
| where isnotempty(InitiatingProcessAccountName)
| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)
| join (
// Collect requests and extract base64 parameters
CommonSecurityLog
| where TimeGenerated > ago(requestLookback)
| where isnotempty(RequestURL)
// Summarize early on the RequestURL
| summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL
| extend base64_candidate = extract_all(extraction_regex, RequestURL)
| mv-expand base64_candidate to typeof(string)
) on $left.base64_user == $right.base64_candidate
| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceNames
- entityType: URL
fieldMappings:
- identifier: Url
columnName: RequestURL
- entityType: Account
fieldMappings:
- identifier: Name
columnName: UserName
version: 1.0.1
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Thomas McElroy
support:
tier: Community
categories:
domains: [ "Security - Others" ]| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceEvents | Ensure this data connector is enabled |
Scenario: Base64-encoded username in legitimate HTTP proxy logs
Description: A system administrator or DevOps team may encode usernames in base64 for internal logging or debugging purposes, especially when integrating with third-party tools or APIs.
Filter/Exclusion: Exclude requests where the username field is part of a known internal tool (e.g., curl, Postman, or curl commands used in CI/CD pipelines) or where the request is to an internal API endpoint.
Scenario: Scheduled job using base64-encoded credentials
Description: A scheduled job (e.g., using schtasks or Task Scheduler) may pass base64-encoded usernames as part of a script or API call to a service that requires authentication.
Filter/Exclusion: Exclude requests originating from known scheduled tasks (e.g., Task Scheduler jobs named DailyBackup or SystemUpdate) or from specific service accounts.
Scenario: Admin task using base64 in PowerShell scripts
Description: An administrator may use PowerShell scripts to encode usernames in base64 for automation purposes, such as when interacting with REST APIs or legacy systems.
Filter/Exclusion: Exclude requests where the source process is a PowerShell script (e.g., powershell.exe) and the script is known to be part of a legitimate admin task (e.g., Update-Script.ps1).
Scenario: Base64 encoding in internal web service communication
Description: An internal web service or microservice may encode usernames in base64 for internal communication, especially when passing data between services or using custom authentication mechanisms.
Filter/Exclusion: Exclude requests where the destination IP is within the internal network (e.g., 10.0.0.0/8) or where the service is known to use internal communication protocols.