KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Base64 Code In Commands

Query

**Detecting Base64 Code in Commands**

This KQL Query is oriented to detect strings added into executed command lines which are base64coded. After it, it decoded the corresponding string and show the results decoded.
```
DeviceFileEvents
| extend CommandWords = split(InitiatingProcessCommandLine, " ") // Split the command into words
| extend Word1 = CommandWords[0], // First word
 Word2 = CommandWords[1], // Second word
 Word3 = CommandWords[2], // Third word
 Word4 = CommandWords[3], // Fourth word
 Word5 = CommandWords[4] 
| extend LongestWord = case(
 strlen(Word1) >= strlen(Word2) and strlen(Word1) >= strlen(Word3) and strlen(Word1) >= strlen(Word4) and strlen(Word1) >= strlen(Word5), Word1,
 strlen(Word2) >= strlen(Word1) and strlen(Word2) >= strlen(Word3) and strlen(Word2) >= strlen(Word4) and strlen(Word2) >= strlen(Word5), Word2,
 strlen(Word3) >= strlen(Word1) and strlen(Word3) >= strlen(Word2) and strlen(Word3) >= strlen(Word4) and strlen(Word3) >= strlen(Word5), Word3,
 strlen(Word4) >= strlen(Word1) and strlen(Word4) >= strlen(Word2) and strlen(Word4) >= strlen(Word3) and strlen(Word4) >= strlen(Word5), Word4,
 Word5 // Default case if Column5 is the longest
)
| extend tostring(LongestWord)
| extend DecodedBytes = base64_decode_tostring(LongestWord)
| extend DecodedString = tostring(DecodedBytes)
| where isnotempty(DecodedString)
| distinct DeviceName,InitiatingProcessCommandLine,LongestWord,DecodedString
```

Explanation

This KQL query is designed to identify and decode Base64-encoded strings within command lines executed on devices. Here's a simplified breakdown of what the query does:

  1. Extract Command Words: It takes the command line that initiated a process and splits it into individual words.

  2. Identify Longest Word: Among the first five words of the command line, it determines which one is the longest.

  3. Decode Base64: It attempts to decode this longest word from Base64 encoding into a readable string.

  4. Filter Non-Empty Decoded Strings: It filters out any results where the decoded string is empty, meaning it only keeps entries where a successful Base64 decoding occurred.

  5. Display Results: Finally, it presents a distinct list of the device name, the original command line, the longest word (presumably Base64-encoded), and the decoded string.

In essence, this query helps in detecting potential obfuscation in command lines by looking for Base64-encoded content and revealing what it translates to.

Details

Sergio Albea profile picture

Sergio Albea

Released: January 15, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEventsCommandLineStringBytesName

Operators

DeviceFileEventsextendsplitcasestrlentostringbase64_decode_tostringwhereisnotemptydistinct

Actions