Query
DeviceFileEvents
| extend CommandWords = split(InitiatingProcessCommandLine, " ") // Split the command into words
| extend Word1 = CommandWords[0], // First word
Word2 = CommandWords[1], // Second word
Word3 = CommandWords[2], // Third word
Word4 = CommandWords[3], // Fourth word
Word5 = CommandWords[4]
| extend LongestWord = case(
strlen(Word1) >= strlen(Word2) and strlen(Word1) >= strlen(Word3) and strlen(Word1) >= strlen(Word4) and strlen(Word1) >= strlen(Word5), Word1,
strlen(Word2) >= strlen(Word1) and strlen(Word2) >= strlen(Word3) and strlen(Word2) >= strlen(Word4) and strlen(Word2) >= strlen(Word5), Word2,
strlen(Word3) >= strlen(Word1) and strlen(Word3) >= strlen(Word2) and strlen(Word3) >= strlen(Word4) and strlen(Word3) >= strlen(Word5), Word3,
strlen(Word4) >= strlen(Word1) and strlen(Word4) >= strlen(Word2) and strlen(Word4) >= strlen(Word3) and strlen(Word4) >= strlen(Word5), Word4,
Word5 // Default case if Column5 is the longest
)
| extend tostring(LongestWord)
| extend DecodedBytes = base64_decode_tostring(LongestWord)
| extend DecodedString = tostring(DecodedBytes)
| where isnotempty(DecodedString)
| distinct DeviceName,InitiatingProcessCommandLine,LongestWord,DecodedStringAbout this query
𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗻𝗴 𝗕𝗮𝘀𝗲𝟲𝟰 𝗖𝗼𝗱𝗲 𝗶𝗻 𝗖𝗼𝗺𝗺𝗮𝗻𝗱𝘀
This KQL Query is oriented to detect strings added into executed command lines which are base64coded. After it, it decoded the corresponding string and show the results decoded.
Explanation
This KQL query is designed to identify and decode Base64-encoded strings within command lines that have been executed on devices. Here's a simple breakdown of what the query does:
-
Data Source: It starts by looking at the
DeviceFileEventstable, which contains information about file-related events on devices. -
Splitting Command Line: It takes the command line from each event (
InitiatingProcessCommandLine) and splits it into individual words. -
Identifying Longest Word: Among the first five words of the command line, it identifies the longest one. This is based on the assumption that a Base64-encoded string might be the longest word in a command.
-
Decoding Base64: It attempts to decode this longest word from Base64 into a readable string.
-
Filtering Results: It filters out any entries where the decoded string is empty, meaning it only keeps entries where a valid Base64 decoding occurred.
-
Output: Finally, it outputs a distinct list of device names, the original command line, the longest word (potential Base64 string), and the decoded string.
In summary, this query helps detect and decode potential Base64-encoded strings within command lines executed on devices, providing insights into what those encoded strings might represent.
Details

Sergio Albea
Released: January 14, 2025
Tables
Keywords
Operators