Detecting Base64 Code In Commands
Query
DeviceFileEvents
| extend CommandWords = split(InitiatingProcessCommandLine, " ") // Split the command into words
| extend Word1 = CommandWords[0], // First word
Word2 = CommandWords[1], // Second word
Word3 = CommandWords[2], // Third word
Word4 = CommandWords[3], // Fourth word
Word5 = CommandWords[4]
| extend LongestWord = case(
strlen(Word1) >= strlen(Word2) and strlen(Word1) >= strlen(Word3) and strlen(Word1) >= strlen(Word4) and strlen(Word1) >= strlen(Word5), Word1,
strlen(Word2) >= strlen(Word1) and strlen(Word2) >= strlen(Word3) and strlen(Word2) >= strlen(Word4) and strlen(Word2) >= strlen(Word5), Word2,
strlen(Word3) >= strlen(Word1) and strlen(Word3) >= strlen(Word2) and strlen(Word3) >= strlen(Word4) and strlen(Word3) >= strlen(Word5), Word3,
strlen(Word4) >= strlen(Word1) and strlen(Word4) >= strlen(Word2) and strlen(Word4) >= strlen(Word3) and strlen(Word4) >= strlen(Word5), Word4,
Word5 // Default case if Column5 is the longest
)
| extend tostring(LongestWord)
| extend DecodedBytes = base64_decode_tostring(LongestWord)
| extend DecodedString = tostring(DecodedBytes)
| where isnotempty(DecodedString)
| distinct DeviceName,InitiatingProcessCommandLine,LongestWord,DecodedStringAbout this query
Detecting Base64 Code in Commands
This KQL Query is oriented to detect strings added into executed command lines which are base64coded. After it, it decoded the corresponding string and show the results decoded.
Explanation
This KQL query is designed to identify and decode Base64-encoded strings within command lines executed on devices. Here's a simplified breakdown of what the query does:
-
Extract Command Words: It takes the command line that initiated a process and splits it into individual words.
-
Identify Longest Word: Among the first five words of the command line, it determines which one is the longest.
-
Decode Base64: It attempts to decode this longest word from Base64 encoding into a readable string.
-
Filter Non-Empty Decoded Strings: It filters out any results where the decoded string is empty, meaning it only keeps entries where a successful Base64 decoding occurred.
-
Display Results: Finally, it presents a distinct list of the device name, the original command line, the longest word (presumably Base64-encoded), and the decoded string.
In essence, this query helps in detecting potential obfuscation in command lines by looking for Base64-encoded content and revealing what it translates to.
Details

Sergio Albea
Released: January 15, 2025
Tables
Keywords
Operators