Adversaries may use base64 encoded PE files in command line parameters to evade detection and execute malicious payloads without direct file drops. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential fileless attacks leveraging PowerShell and base64 encoding techniques.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains "TVqQAAMAAAAEAAA"
| top 1000 by Timestamp
id: 1174ae5b-8ce9-4321-a4e2-99e5f016beed
name: Base64encodePEFile
description: |
Finding base64 encoded PE files header seen in the command line parameters.
Tags: #fileLess #powershell.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains "TVqQAAMAAAAEAAA"
| top 1000 by Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator uses PowerShell to encode a legitimate PE file (e.g., a signed driver or application) for secure transfer over a network.
Filter/Exclusion: Check for the presence of signed certificates or trusted file paths (e.g., C:\Windows\System32\) in the command line or process context.
Scenario: A scheduled job runs a PowerShell script that uses ConvertTo-Base64 to encode a file as part of a backup or archival process.
Filter/Exclusion: Exclude processes associated with the backup service or scheduled tasks that are known to handle file encoding (e.g., BackupService.exe or tasks with TaskName containing “backup”).
Scenario: A developer uses PowerShell to encode a PE file as part of a CI/CD pipeline to prepare a deployment artifact.
Filter/Exclusion: Filter out processes initiated from known CI/CD tools (e.g., Jenkins.exe, AzureDevOps.exe) or check for presence of build-related environment variables.
Scenario: A security tool or endpoint protection software uses PowerShell to encode a PE file for signature analysis or sandboxing purposes.
Filter/Exclusion: Exclude processes that are part of known security tools (e.g., Microsoft Defender Antivirus, CrowdStrike, FireEye) or check for presence of security tool-specific command-line arguments.
Scenario: A user runs a legitimate PowerShell script that encodes a PE file for use in a remote execution scenario (e.g., using Invoke-Command or Enter-PSSession).
Filter/Exclusion: Exclude processes that originate from remote sessions or check for presence of Invoke-Command or Enter-PSSession in the command line context.