Rules using the strings.base64_decode and the regex involved.

Question

I spent a good amount of time, well, AI and I spent a good amount of time, working out a regex that would actually work in our environment. What I ended up with seems to work very well. I wanted to share this, and maybe someone has a better way, or there is some obvious gap that I am not taking account for?

(((($event.metadata.event_type = "PROCESS_LAUNCH"

and $event.target.process.command_line = /.*powershell.*/ nocase

and $encodedPS = re.capture($event.target.process.command_line, `(?i)(?:-encodedcommand|-enco(?:ded)?|-enc|-ec|-en)\s*:?\s*(?:["'])?([A-Za-z0-9+/]+={0,2})(?:["'])?(?:\s|$)`)

and $decoded_value = re.replace(

strings.base64_decode(

re.capture(

$event.target.process.command_line,

`(?i)(?:-encodedcommand|-enco(?:ded)?|-enc|-ec|-en)\s*:?\s*(?:["'])?([A-Za-z0-9+/]+={0,2})(?:["'])?(?:\s|$)`

)

),

`\x00`, `` // remove UTF-16LE NUL bytes

)

and $event.principal.hostname = $hostname

and $event.principal.user.userid = $user

)

and $decoded_value in %yourcommandlist.commands nocase

)

mccrilb · Answer

I don’t think that I can share the actual logs that I am seeing. So far I have not found anything outside of legit activity. The rules does look to be working correctly, the only failures that I have had are from multiple layers of encryption. Which some of our admin tools are doing.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded