Forum Discussion
Finding base64 encoded commands
All, I put together a query to look for base64-encoded strings on Command Lines where powershell has been executed. So I whipped up the following query: SecurityEvent
| where TimeGenerated betw...
Ofer_Shezaf We came up with a "hedge" which is pretty good for finding base64 on the command line. It's not exhaustive, but essentially looks for longer command lines with a decent length of a base64 string, and it also has to be a valid string (one that can be decoded by the base64_decode() function.)
In practice this worked and did find some "shady" items. We actually found items that were double-encoded.
SecurityEvent
| where TimeGenerated between (ago(7d) .. now())
| where EventID in ("4688")
| where ParentProcessName contains @'\cmd.exe' or NewProcessName contains "powershell" or NewProcessName contains "pwsh"
| where string_size(CommandLine) >= 24 // get rid of CommandLine that is too short.
| extend Evil_Base64 = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)',1,CommandLine )
| where Evil_Base64 != ""
| extend decoded_command = base64_decode_tostring(Evil_Base64)
| where decoded_command != ""
| project TimeGenerated, SubjectAccount, Account, Computer, CommandLine, ParentProcessName, NewProcessName, Evil_Base64, decoded_command
Ofer_Shezaf
Microsoft
MicrosoftJKatzmandu : Great to learn. Thanks!