0

Unable to perform string matching on decoded base64 data in MS Sentinel SIEM using KQL search. I am running a MS Sentinel KQL search published at the link below.

For example, when modifying the original query by adding the the statement

*"| where DecodedCommand contains "some text present in DecodedCommand data" *

I would expect a match but no results are returned. I've confirmed that the statement is valid by performing a string match on data in another column. The problem is only for the decoded base 64 data.

Original query (link below):

DeviceProcessEvents
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine contains "-enc"
    or ProcessCommandLine contains "-encodedcommand"
    or InitiatingProcessCommandLine contains "-enc"
    or InitiatingProcessCommandLine contains "-encodedcommand"
//Extract encoded command using regex
//This query will only return results when the command can be matched via regex and decoded, if you run only the above lines it will return all encoded commands without attempting to match and decode
| extend EncodedCommand = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| where EncodedCommand != ""
| extend DecodedCommand = base64_decode_tostring(EncodedCommand)
| where DecodedCommand != ""
| project
    TimeGenerated,
    DeviceName,
    InitiatingProcessAccountName,
    InitiatingProcessCommandLine,
    ProcessCommandLine,
    EncodedCommand,
    DecodedCommand

Modified query:

DeviceProcessEvents
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine contains "-enc"
    or ProcessCommandLine contains "-encodedcommand"
    or InitiatingProcessCommandLine contains "-enc"
    or InitiatingProcessCommandLine contains "-encodedcommand"
//Extract encoded command using regex
//This query will only return results when the command can be matched via regex and decoded, if you run only the above lines it will return all encoded commands without attempting to match and decode
| extend EncodedCommand = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| where EncodedCommand != ""
| extend DecodedCommand = base64_decode_tostring(EncodedCommand)
| where DecodedCommand != ""
| where DecodedCommand contains "add some text here"
| project
    TimeGenerated,
    DeviceName,
    InitiatingProcessAccountName,
    InitiatingProcessCommandLine,
    ProcessCommandLine,
    EncodedCommand,
    DecodedCommand

Link: https://github.com/reprise99/Sentinel-Queries/blob/main/Defender%20for%20Endpoint/Device-DetectEncodedPowershellandDecode.kql

I have tried various string matching techniques on the DecodedCommand values such as using regex and queries to a lookup list (e.g., adding statements "| let str_to_match=dynamic(['some string to match']) and | where DecodedCommand has_any(str_to_match) to the original query).

David דודו Markovitz
  • 42,900
  • 6
  • 64
  • 88
n0psl1de
  • 1
  • 1
  • 4
    Does this answer your question? [KQL string function not parsing all characters](https://stackoverflow.com/questions/74028788/kql-string-function-not-parsing-all-characters) – David דודו Markovitz Dec 15 '22 at 16:14
  • @DavidדודוMarkovitz Thanks for the response. Yes, I have the same issue but I don't have enough reputation points to reply to that thread unfortunately (just joined here). I have the same confusion as the post author. The query returns cleartext data in the DecodedCommand column so my expectation is that I should be able to perform a "contains" string match on the data displayed on the screen. I have very little control how the data is ingested so hoping to find a solution that can be applied at query time. – n0psl1de Dec 16 '22 at 15:20
  • Have you checked my answer in this referenced post? – David דודו Markovitz Dec 16 '22 at 15:24

0 Answers0