IP address of Windows host encoded in web request This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses.Reference URL : IP address of Windows host encoded in web request | Microsoft Sentinel Analytic RulesWindows host username encoded in base64 web request This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.Reference URL : Windows host username encoded in base64 web request | Microsoft Sentinel Analytic Rules could you please help with this above for YARAL Rule Logic..

Detection Rule Test

IP address of Windows host encoded in web request

This detection will identify network requests in HTTP proxy data that contains Base64 encoded

IP addresses.

Reference URL : IP address of Windows host encoded in web request | Microsoft Sentinel Analytic Rules

Windows host username encoded in base64 web request

This detection will identify network requests in HTTP proxy data that contains Base64 encoded

usernames from machines in the DeviceEvents table.

Reference URL : Windows host username encoded in base64 web request | Microsoft Sentinel Analytic Rules

could you please help with this above for YARAL Rule Logic..

Page 1 / 1

I’ll try to help you get started by sharing this blog that shows how we can use the re2 functions re.regex and re.capture, as well as base64 decoding with strings.base64_decode.

The join portion could be handled either by reference lists or data tables, using the word IN to perform a single column comparison.

Is there any specific for URL Related encoded, and provide logic if any possible

sorry i don’t understand your question. you would want to capture the url and then decode it. The example in the blog is a command line but the concepts are similar.

Thanks for clarifying :) What I was actually looking for is whether you could share any rule logic or a snippet that could help detect Base64-encoded content in URL Even a simple example would be really helpful as a starting point.

There is going to be some trial and error and testing involved, but here is an example. I might suggest having a reference list or data table of legit domains that you could filter out so if you are comfortable with certain domains, you could exclude those right off the top.

Otherwise we are using the same regex in these iterations and assuming that the base64 string will be at the end of the url. If we can’t make that assumption, the $ at the end can be removed but some more tuning will need to be done.

I put a few items in here that I tuned out after that capture, if you wanted you could use something like the strings length function has to be greater than some number as well.

Finally my output on some of the strings that were recognized as meeting the criteria of base64 did not decode. When I ran them through cyberchef, they didn’t decode cleanly either and magic seemed to indicate a combo of things, so this isn’t a perfect solution but might get you going in the right direction.

metadata.event_type = "NETWORK_HTTP"
target.url != ""
re.regex(target.url, `(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$`)
re.capture(target.url, `(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$`) = $url
strings.base64_decode(re.capture(target.url, `(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$`)) = $decode
$url != "4filter="
$url != "tatoken="
$url != "fpb="
//strings.length($url) > 4
match:
    target.url, $url, $decode

Thanks for the suggestion that would be really helpful

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded