51 строка
1.7 KiB
YAML
51 строка
1.7 KiB
YAML
id: d6190dde-8fd2-456a-ac5b-0a32400b0464
|
|
name: Process executed from binary hidden in Base64 encoded file
|
|
description: |
|
|
'Encoding malicious software is a technique used to obfuscate files from detection.
|
|
The first CommandLine component is looking for Python decoding base64.
|
|
The second CommandLine component is looking for Bash/sh command line base64 decoding.
|
|
The third one is looking for Ruby decoding base64.'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
queryFrequency: 1d
|
|
queryPeriod: 1d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- Execution
|
|
- DefenseEvasion
|
|
relevantTechniques:
|
|
- T1059
|
|
- T1027
|
|
- T1140
|
|
query: |
|
|
|
|
let timeframe = 1d;
|
|
let ProcessCreationEvents=() {
|
|
let processEvents=SecurityEvent
|
|
| where EventID==4688
|
|
| where isnotempty(CommandLine)
|
|
| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;
|
|
processEvents;
|
|
};
|
|
ProcessCreationEvents
|
|
| where TimeGenerated > ago(timeframe)
|
|
| where CommandLine contains ".decode('base64')"
|
|
or CommandLine contains "base64 --decode"
|
|
or CommandLine contains ".decode64("
|
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName
|
|
| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer
|
|
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity
|