Detection rules › Kusto Query Language

Windows host username encoded in base64 web request

Author: Thomas McElroy
Source: upstream

'This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table. This technique was seen usee by POLONIUM in their RunningRAT tool.'

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1071.001` Application Layer Protocol: Web Protocols
Exfiltration	`T1041` Exfiltration Over C2 Channel

Event coverage

Provider	Event ID	Title
Defender-DeviceEvents	9007000	Defender event (any)

Stages and Predicates

Stage 1: `source`

DeviceEvents

Stage 2: `where`

 macro "(TimeGenerated > ago(accountLookback))"

Stage 3: `summarize`

Stage 4: `where`

InitiatingProcessAccountName is_not_null

Windows host username encoded in base64 web request

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: `source`

Stage 2: `where`

Stage 3: `summarize`

Stage 4: `where`

Stage 5: `extend`

Stage 6: `join`

Stage 7: `project`

Keyboard Shortcuts

Windows host username encoded in base64 web request

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: summarize

Stage 4: where

Stage 5: extend

Stage 6: join

Stage 7: project

Stage 1: `source`

Stage 2: `where`

Stage 3: `summarize`

Stage 4: `where`

Stage 5: `extend`

Stage 6: `join`

Stage 7: `project`