Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Possible bug in MDE/kusto

Copper Contributor

I have encountered an issue with MDE and or Kusto. I have the following KQL query.

let EncodedList = dynamic(["-e","-en","-enc","-enco","-encod","-encode","-encoded","-encodedc","-encodedco","-encodedcom","-encodedcomm","-encodedcomma","-encodedcomman","-encodedcommand"]);
let TimeFrame = 1d; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| extend DecodedCommandLineReplaceEmptyPlaces = replace_string(DecodedCommandLine, '\u0000', '')
| where isnotempty(base64String) and isnotempty(DecodedCommandLineReplaceEmptyPlaces)
| summarize UniqueExecutionsList = make_set(DecodedCommandLineReplaceEmptyPlaces) by DeviceName
| extend TotalUniqueEncodedCommandsExecuted = array_length(UniqueExecutionsList)
| project DeviceName, TotalUniqueEncodedCommandsExecuted, UniqueExecutionsList
| sort by TotalUniqueEncodedCommandsExecuted

 It is a slightly modified one taken from here https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/031a38f878c6c83f865e49051da93c30fe... and it is supposed to look for Base64 encoded Powershell commandlines.

The issue I have encountered is that when en extremely long Base64 encoded Powershell script hits this query, the query returns only a small portion of the end of the results. Upon debugging the regex and trying out different variations I noticed that in the Powershell commandline the Base64 portion is actually divided into 64 character segments with a space in between them. I assume this is due to the commandline looking nicer if you hover over it in the web console. However, after I modified my regex to include these spaces the results still were the same. Only the last of those 64 character segments matched.

 

The query does work sometimes as apparently there is some limit after which that 64 character division happens. This leads me to believe that there might some sort of bug in MDE itself that prevents the query from matching the correct group.

 

If anyone else has encountered this sort of behavior or sees any errors in my logic all input is welcome! Otherwise I would file this as a bug but unfortunately I was not able to locate where MDE related bugs could be submitted.

0 Replies