Forum Discussion
Finding base64 encoded commands
Microsoft
Trying to create a rule based detection of Powershell attacks is between hard and impossible. On the one hand based64 is used in valid code and on the other hand evasion is pretty easy. Why should the code be on the command line int the first place. Want the really dire picture? Daniel Bohannon presenatation on PowerShell obfuscation (video, slides) is impresive.
I think that Defender for End Points (a.k.a. Defender ATP), is the right choice for detecting and protecting from such threats.
Ofer_Shezaf We came up with a "hedge" which is pretty good for finding base64 on the command line. It's not exhaustive, but essentially looks for longer command lines with a decent length of a base64 string, and it also has to be a valid string (one that can be decoded by the base64_decode() function.)
In practice this worked and did find some "shady" items. We actually found items that were double-encoded.
SecurityEvent
| where TimeGenerated between (ago(7d) .. now())
| where EventID in ("4688")
| where ParentProcessName contains @'\cmd.exe' or NewProcessName contains "powershell" or NewProcessName contains "pwsh"
| where string_size(CommandLine) >= 24 // get rid of CommandLine that is too short.
| extend Evil_Base64 = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)',1,CommandLine )
| where Evil_Base64 != ""
| extend decoded_command = base64_decode_tostring(Evil_Base64)
| where decoded_command != ""
| project TimeGenerated, SubjectAccount, Account, Computer, CommandLine, ParentProcessName, NewProcessName, Evil_Base64, decoded_command
- Ofer_Shezaf
JKatzmandu : Great to learn. Thanks!