Finding base64 encoded commands

%3CLINGO-SUB%20id%3D%22lingo-sub-1891876%22%20slang%3D%22en-US%22%3EFinding%20base64%20encoded%20commands%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1891876%22%20slang%3D%22en-US%22%3E%3CP%3EAll%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20put%20together%20a%20query%20to%20look%20for%20base64-encoded%20strings%20on%20Command%20Lines%20where%20powershell%20has%20been%20executed.%20So%20I%20whipped%20up%20the%20following%20query%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3ESecurityEvent%0A%7C%20where%20TimeGenerated%20between%20(ago(1d)%20..%20now())%0A%7C%20where%20EventID%20in%20(%224688%22%2C%224104%22)%0A%7C%20where%20CommandLine%20contains%20%22powershell%22%20or%20CommandLine%20contains%20%22pwsh%22%0A%7C%20extend%20args%20%3D%20split(CommandLine%2C%20%22%20%22)%0A%7C%20mv-apply%20l%3Dargs%20to%20typeof(string)%20on%20(%20where%20args%20matches%20regex%20%40'%5E(%3F%3A%5BA-Za-z0-9%2B%5C%2F%5D%7B4%7D)*(%3F%3A%5BA-Za-z0-9%2B%5C%2F%5D%7B2%7D%3D%3D%7C%5BA-Za-z0-9%2B%5C%2F%5D%7B3%7D%3D%7C%5BA-Za-z0-9%2B%5C%2F%5D%7B4%7D)%24'%20)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3BIt%20executes%2C%20so%20syntactically%20it%20works%2C%20but%20it%20is%20extremely%20inefficient.%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20looking%20for%20EventIDs%204688%20and%204104%20in%20the%20Security%20Log%2C%20where%20we%20have%20powreshell%20or%20pwsh%20executed.%20I%20then%20use%20the%20split()%20function%20to%20parse%20up%20the%20CommandLine%20column%20into%20an%20array%20with%20each%20distinct%20element.%20We%20then%20check%20those%20elements%20(exhaustively)%20using%20an%20mv-apply%20against%20some%20regex%20for%20finding%20Base64%20strings.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20better%20way%20to%20do%20this%3F%20Although%20this%20executes%2C%20Will%20my%20logic%20even%20work%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1892437%22%20slang%3D%22en-US%22%3ERe%3A%20Finding%20base64%20encoded%20commands%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1892437%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F744641%22%20target%3D%22_blank%22%3E%40JKatzmandu%3C%2FA%3E%26nbsp%3BHave%20you%20looked%20at%20the%20%22%3CSPAN%3EProcess%20executed%20from%20binary%20hidden%20in%20Base64%20encoded%20file%22%20rule%20template%20to%20see%20how%20that%20does%20it%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1892506%22%20slang%3D%22en-US%22%3ERe%3A%20Finding%20base64%20encoded%20commands%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1892506%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20pretty%20weak%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%7C%20where%20CommandLine%20contains%20%22TVqQAAMAAAAEAAA%22%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1942574%22%20slang%3D%22en-US%22%3ERe%3A%20Finding%20base64%20encoded%20commands%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1942574%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F744641%22%20target%3D%22_blank%22%3E%40JKatzmandu%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETrying%20to%20create%20a%20rule%20based%20detection%20of%20Powershell%20attacks%20is%20between%20hard%20and%20impossible.%20On%20the%20one%20hand%20based64%20is%20used%20in%20valid%20code%20and%20on%20the%20other%20hand%20evasion%20is%20pretty%20easy.%20Why%20should%20the%20code%20be%20on%20the%20command%20line%20int%20the%20first%20place.%20Want%20the%20really%20dire%20picture%3F%20Daniel%20Bohannon%20presenatation%20on%20PowerShell%20obfuscation%20(%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D6J8pw_bM-i4%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Evideo%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fwww.slideshare.net%2FDanielBohannon2%2Finvokeobfuscation-derbycon-2016%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eslides%3C%2FA%3E)%20is%20impresive.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20think%20that%20Defender%20for%20End%20Points%20(a.k.a.%20Defender%20ATP)%2C%20is%20the%20right%20choice%20for%20detecting%20and%20protecting%20from%20such%20threats.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1943800%22%20slang%3D%22en-US%22%3ERe%3A%20Finding%20base64%20encoded%20commands%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1943800%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3BWe%20came%20up%20with%20a%20%22hedge%22%20which%20is%20pretty%20good%20for%20finding%20base64%20on%20the%20command%20line.%20It's%20not%20exhaustive%2C%20but%20essentially%20looks%20for%20longer%20command%20lines%20with%20a%20decent%20length%20of%20a%20base64%20string%2C%20and%20it%20also%20has%20to%20be%20a%20valid%20string%20(one%20that%20can%20be%20decoded%20by%20the%20base64_decode()%20function.)%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20practice%20this%20worked%20and%20did%20find%20some%20%22shady%22%20items.%20We%20actually%20found%20items%20that%20were%20double-encoded.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-csharp%22%3E%3CCODE%3ESecurityEvent%0A%7C%20where%20TimeGenerated%20between%20(ago(7d)%20..%20now())%0A%7C%20where%20EventID%20in%20(%224688%22)%0A%7C%20where%20ParentProcessName%20contains%20%40'%5Ccmd.exe'%20or%20NewProcessName%20contains%20%22powershell%22%20or%20NewProcessName%20contains%20%22pwsh%22%0A%7C%20where%20string_size(CommandLine)%20%26gt%3B%3D%2024%20%20%20%20%20%20%20%20%2F%2F%20get%20rid%20of%20CommandLine%20that%20is%20too%20short.%0A%7C%20extend%20Evil_Base64%20%3D%20extract(%40'%5Cs%2B(%5BA-Za-z0-9%2B%2F%5D%7B20%7D%5CS%2B%24)'%2C1%2CCommandLine%20)%0A%7C%20where%20Evil_Base64%20!%3D%20%22%22%0A%7C%20extend%20decoded_command%20%3D%20base64_decode_tostring(Evil_Base64)%0A%7C%20where%20decoded_command%20!%3D%20%22%22%0A%7C%20project%20TimeGenerated%2C%20SubjectAccount%2C%20Account%2C%20Computer%2C%20CommandLine%2C%20ParentProcessName%2C%20NewProcessName%2C%20Evil_Base64%2C%20decoded_command%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

All,

 

I put together a query to look for base64-encoded strings on Command Lines where powershell has been executed. So I whipped up the following query:

SecurityEvent
| where TimeGenerated between (ago(1d) .. now())
| where EventID in ("4688","4104")
| where CommandLine contains "powershell" or CommandLine contains "pwsh"
| extend args = split(CommandLine, " ")
| mv-apply l=args to typeof(string) on ( where args matches regex @'^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$' )

 It executes, so syntactically it works, but it is extremely inefficient.

I'm looking for EventIDs 4688 and 4104 in the Security Log, where we have powreshell or pwsh executed. I then use the split() function to parse up the CommandLine column into an array with each distinct element. We then check those elements (exhaustively) using an mv-apply against some regex for finding Base64 strings. 

 

Is there a better way to do this? Although this executes, Will my logic even work?

 

Thanks!

5 Replies

@JKatzmandu Have you looked at the "Process executed from binary hidden in Base64 encoded file" rule template to see how that does it?

@Gary Bushey 

 

It's pretty weak:

| where CommandLine contains "TVqQAAMAAAAEAAA"

 

@JKatzmandu 

 

Trying to create a rule based detection of Powershell attacks is between hard and impossible. On the one hand based64 is used in valid code and on the other hand evasion is pretty easy. Why should the code be on the command line int the first place. Want the really dire picture? Daniel Bohannon presenatation on PowerShell obfuscation (video, slides) is impresive. 

 

I think that Defender for End Points (a.k.a. Defender ATP), is the right choice for detecting and protecting from such threats. 

@Ofer_Shezaf We came up with a "hedge" which is pretty good for finding base64 on the command line. It's not exhaustive, but essentially looks for longer command lines with a decent length of a base64 string, and it also has to be a valid string (one that can be decoded by the base64_decode() function.) 

 

In practice this worked and did find some "shady" items. We actually found items that were double-encoded.

 

SecurityEvent
| where TimeGenerated between (ago(7d) .. now())
| where EventID in ("4688")
| where ParentProcessName contains @'\cmd.exe' or NewProcessName contains "powershell" or NewProcessName contains "pwsh"
| where string_size(CommandLine) >= 24        // get rid of CommandLine that is too short.
| extend Evil_Base64 = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)',1,CommandLine )
| where Evil_Base64 != ""
| extend decoded_command = base64_decode_tostring(Evil_Base64)
| where decoded_command != ""
| project TimeGenerated, SubjectAccount, Account, Computer, CommandLine, ParentProcessName, NewProcessName, Evil_Base64, decoded_command

 

@JKatzmandu : Great to learn. Thanks!