Query Details

Detecting Base64 Code In Commands

Query

DeviceFileEvents
| extend CommandWords = split(InitiatingProcessCommandLine, " ") // Split the command into words
| extend Word1 = CommandWords[0], // First word
 Word2 = CommandWords[1], // Second word
 Word3 = CommandWords[2], // Third word
 Word4 = CommandWords[3], // Fourth word
 Word5 = CommandWords[4] 
| extend LongestWord = case(
 strlen(Word1) >= strlen(Word2) and strlen(Word1) >= strlen(Word3) and strlen(Word1) >= strlen(Word4) and strlen(Word1) >= strlen(Word5), Word1,
 strlen(Word2) >= strlen(Word1) and strlen(Word2) >= strlen(Word3) and strlen(Word2) >= strlen(Word4) and strlen(Word2) >= strlen(Word5), Word2,
 strlen(Word3) >= strlen(Word1) and strlen(Word3) >= strlen(Word2) and strlen(Word3) >= strlen(Word4) and strlen(Word3) >= strlen(Word5), Word3,
 strlen(Word4) >= strlen(Word1) and strlen(Word4) >= strlen(Word2) and strlen(Word4) >= strlen(Word3) and strlen(Word4) >= strlen(Word5), Word4,
 Word5 // Default case if Column5 is the longest
)
| extend tostring(LongestWord)
| extend DecodedBytes = base64_decode_tostring(LongestWord)
| extend DecodedString = tostring(DecodedBytes)
| where isnotempty(DecodedString)
| distinct DeviceName,InitiatingProcessCommandLine,LongestWord,DecodedString

About this query

Detecting Base64 Code in Commands

This KQL Query is oriented to detect strings added into executed command lines which are base64coded. After it, it decoded the corresponding string and show the results decoded.

Explanation

This KQL query is designed to identify and decode Base64-encoded strings within command lines executed on devices. Here's a simplified breakdown of what the query does:

  1. Extract Command Words: It takes the command line that initiated a process and splits it into individual words.

  2. Identify Longest Word: Among the first five words of the command line, it determines which one is the longest.

  3. Decode Base64: It attempts to decode this longest word from Base64 encoding into a readable string.

  4. Filter Non-Empty Decoded Strings: It filters out any results where the decoded string is empty, meaning it only keeps entries where a successful Base64 decoding occurred.

  5. Display Results: Finally, it presents a distinct list of the device name, the original command line, the longest word (presumably Base64-encoded), and the decoded string.

In essence, this query helps in detecting potential obfuscation in command lines by looking for Base64-encoded content and revealing what it translates to.

Details

Sergio Albea profile picture

Sergio Albea

Released: January 15, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEventsCommandLineStringBytesName

Operators

DeviceFileEventsextendsplitcasestrlentostringbase64_decode_tostringwhereisnotemptydistinct

Actions

GitHub