KQL Search

Query Details

HomeAI ToolsDevice Query

Query

**𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗻𝗴 𝗕𝗮𝘀𝗲𝟲𝟰 𝗖𝗼𝗱𝗲 𝗶𝗻 𝗖𝗼𝗺𝗺𝗮𝗻𝗱𝘀**

This KQL Query is oriented to detect strings added into executed command lines which are base64coded. After it, it decoded the corresponding string and show the results decoded.
```
DeviceFileEvents
| extend CommandWords = split(InitiatingProcessCommandLine, " ") // Split the command into words
| extend Word1 = CommandWords[0], // First word
 Word2 = CommandWords[1], // Second word
 Word3 = CommandWords[2], // Third word
 Word4 = CommandWords[3], // Fourth word
 Word5 = CommandWords[4] 
| extend LongestWord = case(
 strlen(Word1) >= strlen(Word2) and strlen(Word1) >= strlen(Word3) and strlen(Word1) >= strlen(Word4) and strlen(Word1) >= strlen(Word5), Word1,
 strlen(Word2) >= strlen(Word1) and strlen(Word2) >= strlen(Word3) and strlen(Word2) >= strlen(Word4) and strlen(Word2) >= strlen(Word5), Word2,
 strlen(Word3) >= strlen(Word1) and strlen(Word3) >= strlen(Word2) and strlen(Word3) >= strlen(Word4) and strlen(Word3) >= strlen(Word5), Word3,
 strlen(Word4) >= strlen(Word1) and strlen(Word4) >= strlen(Word2) and strlen(Word4) >= strlen(Word3) and strlen(Word4) >= strlen(Word5), Word4,
 Word5 // Default case if Column5 is the longest
)
| extend tostring(LongestWord)
| extend DecodedBytes = base64_decode_tostring(LongestWord)
| extend DecodedString = tostring(DecodedBytes)
| where isnotempty(DecodedString)
| distinct DeviceName,InitiatingProcessCommandLine,LongestWord,DecodedString
```

Explanation

This KQL query is designed to identify and decode Base64-encoded strings within command lines that have been executed on devices. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at the DeviceFileEvents table, which contains information about file-related events on devices.

  2. Splitting Command Line: It takes the command line from each event (InitiatingProcessCommandLine) and splits it into individual words.

  3. Identifying Longest Word: Among the first five words of the command line, it identifies the longest one. This is based on the assumption that a Base64-encoded string might be the longest word in a command.

  4. Decoding Base64: It attempts to decode this longest word from Base64 into a readable string.

  5. Filtering Results: It filters out any entries where the decoded string is empty, meaning it only keeps entries where a valid Base64 decoding occurred.

  6. Output: Finally, it outputs a distinct list of device names, the original command line, the longest word (potential Base64 string), and the decoded string.

In summary, this query helps detect and decode potential Base64-encoded strings within command lines executed on devices, providing insights into what those encoded strings might represent.

Details

Sergio Albea profile picture

Sergio Albea

Released: January 14, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEventsCommandLineString

Operators

DeviceFileEventsextendsplitcasestrlentostringbase64_decode_tostringwhereisnotemptydistinct

Actions