custom rules fails to decode base64 encoded string
mezzofix opened this issue · comments
Hi,
The detection https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Threat%20Hunting%20Cases/Suspicious%20Encoded%20Powershell.md is working however when tested with Red the base64_decode_tostring function fails to decode the base64 encoded string every time:
Here's the base64 string:
VwByAGkAdABlAC0ASABvAHMAdAAgACIASABlAHkALAAgAEEAdABvAG0AaQBjACEAIgA=
As you can see decoding with base64 -d works just fine
Thanks !
Hi,
If you take a look at the decoded commandline it is successfully decoded. However, between each char a null value has been identified. The query below shows this in Unicode.
let x = "VwByAGkAdABlAC0ASABvAHMAdAAgACIASABlAHkALAAgAEEAdABvAG0AaQBjACEAIgA=";
let y = base64_decode_tostring(x);
let z = unicode_codepoints_from_string(y);
print z
The fix you can use is:
let x = "VwByAGkAdABlAC0ASABvAHMAdAAgACIASABlAHkALAAgAEEAdABvAG0AaQBjACEAIgA=";
let y = base64_decode_tostring(x);
let z = replace_string(y, '\0', '');
print z
Furthermore the string that you encode has null values, therefore the base64_decode_tostring() works as expected.
Without null values the encoded string would look like: V3JpdGUtSG9zdCAiSGV5LCBBdG9taWMhIg== instead of "VwByAGkAdABlAC0ASABvAHMAdAAgACIASABlAHkALAAgAEEAdABvAG0AaQBjACEAIgA="
Thanks for looking into this. But what’s unusual in an encoded PowerShell command if there are spaces ? Isn’t then a problem with the KQL function?