LinkedIn
Twitter
Hi all,
I am having an issue with the error message in the title field and some help would be really appreciated.
I have wrote a YARA-L rule in Chronicle which captures various matching powershell command and decodes the successful match using the strings.base64.decode function. I followed the guidance on (https://chronicle.security/blog/posts/new-to-chronicle-capturing-strings-for-additional-analysis/) and also created a shortened version of my base rule to test the syntax and it worked absolutely fine. Yet when i try and save the main master rule (below), i receive an error which after troubleshooting has not progressed much. Any help on why the encoded_value variable needs assigning to a placeholder would be helpful, despite the fact i have used the exact same line in a much shorter detection rule without an error.
To summarise, the rule is looking for the presence of base64 strings used in command line and then capturing those true positive strings and assigning to a variable called encoded_value.
Many thanks
Hi John,
I have not uploaded the code anywhere as I'm working in the Chronicle rule editor. I tried to provide the whole code and the post got blocked. However I can attach the error below and include the whole rule too. Ironically it was your articles which inspired my logic!
I appreciate your help.
Kind regards,
rule suspicious_encoded_command_line_test {
meta:
created = "2024-01-01"
product = "windows"
events:
$selection.metadata.event_type = "PROCESS_LAUNCH"
$selection.principal.hostname = $hostname
(
(
re.regex($selection.target.process.command_line, `.* -e.*`) nocase and
re.regex($selection.target.process.command_line, `[.*SQBuAHYAbwBrAGUALQ.*|.*kAbgB2AG8AawBlAC0A.*|.*JAG4AdgBvAGsAZQAtA.*|.*SW52b2tlL.*|.*ludm9rZS.*|.*JbnZva2Ut.*|.* JAB.*|.* SUVYI.*|.* SQBFAF.*|.*TV6 .*|.*TVQ .*|.* SQBuAH.*|.* PAA.*|.*cwBha .*|.*dmFy .*|.* RV20.*|.* dXNpbm.*|.* H4sIA.*|.* Y21k.*|.* cABhAH.*|.* Qzpc.*|.* Yzpc.*|.* UEs.*|.* EY.*|.* aQBlA.*|.* aWV4.*|.* IAA.*|.* IAB.*|.* UwB.*|.* cwB.*|.* AEkARQBY.*|.* AGkAZQB4.*|.*\.exe -ENCOD .*|.* BA/^J e\-.*]`) nocase and
$encoded_value = re.capture($selection.target.process.command_line, `[.*SQBuAHYAbwBrAGUALQ.*|.*kAbgB2AG8AawBlAC0A.*|.*JAG4AdgBvAGsAZQAtA.*|.*SW52b2tlL.*|.*ludm9rZS.*|.*JbnZva2Ut.*|.* JAB.*|.* SUVYI.*|.* SQBFAF.*|.*TV6 .*|.*TVQ .*|.* SQBuAH.*|.* PAA.*|.*cwBha .*|.*dmFy .*|.* RV20.*|.* dXNpbm.*|.* H4sIA.*|.* Y21k.*|.* cABhAH.*|.* Qzpc.*|.* Yzpc.*|.* UEs.*|.* EY.*|.* aQBlA.*|.* aWV4.*|.* IAA.*|.* IAB.*|.* UwB.*|.* cwB.*|.* AEkARQBY.*|.* AGkAZQB4.*|.*\.exe -ENCOD .*|.* BA/^J e\-.*]`) and
$decoded_value = strings.base64_decode(re.capture($selection.target.process.command_line, `[.*SQBuAHYAbwBrAGUALQ.*|.*kAbgB2AG8AawBlAC0A.*|.*JAG4AdgBvAGsAZQAtA.*|.*SW52b2tlL.*|.*ludm9rZS.*|.*JbnZva2Ut.*|.* JAB.*|.* SUVYI.*|.* SQBFAF.*|.*TV6 .*|.*TVQ .*|.* SQBuAH.*|.* PAA.*|.*cwBha .*|.*dmFy .*|.* RV20.*|.* dXNpbm.*|.* H4sIA.*|.* Y21k.*|.* cABhAH.*|.* Qzpc.*|.* Yzpc.*|.* UEs.*|.* EY.*|.* aQBlA.*|.* aWV4.*|.* IAA.*|.* IAB.*|.* UwB.*|.* cwB.*|.* AEkARQBY.*|.* AGkAZQB4.*|.*\.exe -ENCOD .*|.* BA/^J e\-.*]`))
)
or
(
re.regex($selection.target.process.command_line, `[.*::FromBase64String.*|.*OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA.*|.*oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA.*|.*6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw.*|.*OjpGcm9tQmFzZTY0U3RyaW5n.*|.*ADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBn.*]`) and
$encoded_value= re.capture($selection.target.process.command_line, `[.*::FromBase64String.*|.*OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA.*|.*oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA.*|.*6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw.*|.*OjpGcm9tQmFzZTY0U3RyaW5n.*|.*ADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBn.*]`) and
$decoded_value2 = strings.base64_decode(re.capture($selection.target.process.command_line, `[.*::FromBase64String.*|.*OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA.*|.*oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA.*|.*6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw.*|.*OjpGcm9tQmFzZTY0U3RyaW5n.*|.*ADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBn.*]`))
)
or
(
re.regex($selection.target.process.command_line, `[.*IEX \(\[.*|.*iex \(\[.*|.*iex \(New.*|.*IEX \(New.*|.*IEX\(\[.*|.*iex\(\[.*|.*iex\(New.*|.*IEX\(New.*|.*IEX\(\('.*|.*iex\(\('.*|.*SQBFAFgAIAAoAFsA.*|.*kARQBYACAAKABbA.*|.*JAEUAWAAgACgAWw.*|.*aQBlAHgAIAAoAFsA.*|.*kAZQB4ACAAKABbA.*|.*pAGUAeAAgACgAWw.*|.*aQBlAHgAIAAoAE4AZQB3A.*|.*kAZQB4ACAAKABOAGUAdw.*|.*pAGUAeAAgACgATgBlAHcA.*|.*SQBFAFgAIAAoAE4AZQB3A.*|.*kARQBYACAAKABOAGUAdw.*|.*JAEUAWAAgACgATgBlAHcA.*]`) and
$encoded_value = re.capture($selection.target.process.command_line, `[.*IEX \(\[.*|.*iex \(\[.*|.*iex \(New.*|.*IEX \(New.*|.*IEX\(\[.*|.*iex\(\[.*|.*iex\(New.*|.*IEX\(New.*|.*IEX\(\('.*|.*iex\(\('.*|.*SQBFAFgAIAAoAFsA.*|.*kARQBYACAAKABbA.*|.*JAEUAWAAgACgAWw.*|.*aQBlAHgAIAAoAFsA.*|.*kAZQB4ACAAKABbA.*|.*pAGUAeAAgACgAWw.*|.*aQBlAHgAIAAoAE4AZQB3A.*|.*kAZQB4ACAAKABOAGUAdw.*|.*pAGUAeAAgACgATgBlAHcA.*|.*SQBFAFgAIAAoAE4AZQB3A.*|.*kARQBYACAAKABOAGUAdw.*|.*JAEUAWAAgACgATgBlAHcA.*]`) and
$decoded_value = strings.base64_decode(re.capture($selection.target.process.command_line, `[.*IEX \(\[.*|.*iex \(\[.*|.*iex \(New.*|.*IEX \(New.*|.*IEX\(\[.*|.*iex\(\[.*|.*iex\(New.*|.*IEX\(New.*|.*IEX\(\('.*|.*iex\(\('.*|.*SQBFAFgAIAAoAFsA.*|.*kARQBYACAAKABbA.*|.*JAEUAWAAgACgAWw.*|.*aQBlAHgAIAAoAFsA.*|.*kAZQB4ACAAKABbA.*|.*pAGUAeAAgACgAWw.*|.*aQBlAHgAIAAoAE4AZQB3A.*|.*kAZQB4ACAAKABOAGUAdw.*|.*pAGUAeAAgACgATgBlAHcA.*|.*SQBFAFgAIAAoAE4AZQB3A.*|.*kARQBYACAAKABOAGUAdw.*|.*JAEUAWAAgACgATgBlAHcA.*]`))
)
or
(
re.regex($selection.target.process.command_line, `[.*WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA.*|.*sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA.*|.*bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA.*|.*AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC.*|.*BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp.*|.*AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK.*|.*WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ.*|.*sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA.*|.*bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA.*|.*WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA.*|.*sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA.*|.*bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA.*|.*OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ.*|.*oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA.*|.*6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA.*|.*OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ.*|.*oAOgAoACIATABvACIAKwAiAGEAZAAiACkA.*|.*6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA.*|.*OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ.*|.*oAOgAoACIATABvAGEAIgArACIAZAAiACkA.*|.*6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA.*|.*OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ.*|.*oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA.*|.*6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA.*|.*OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ.*|.*oAOgAoACcATABvACcAKwAnAGEAZAAnACkA.*|.*6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA.*|.*OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ.*|.*oAOgAoACcATABvAGEAJwArACcAZAAnACkA.*|.*6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA.*|.*ADoAOgAoACcATABvAGEAJwArACcAZAAnACk.*|.*ADoAOgAoACcATABvACcAKwAnAGEAZAAnACk.*|.*ADoAOgAoACcATAAnACsAJwBvAGEAZAAnACk.*|.*ADoAOgAoACIATABvAGEAIgArACIAZAAiACk.*|.*ADoAOgAoACIATABvACIAKwAiAGEAZAAiACk.*|.*ADoAOgAoACIATAAiACsAIgBvAGEAZAAiACk.*]`) and
$encoded_value = re.capture($selection.target.process.command_line, `[.*WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA.*|.*sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA.*|.*bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA.*|.*AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC.*|.*BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp.*|.*AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK.*|.*WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ.*|.*sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA.*|.*bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA.*|.*WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA.*|.*sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA.*|.*bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA.*|.*OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ.*|.*oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA.*|.*6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA.*|.*OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ.*|.*oAOgAoACIATABvACIAKwAiAGEAZAAiACkA.*|.*6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA.*|.*OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ.*|.*oAOgAoACIATABvAGEAIgArACIAZAAiACkA.*|.*6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA.*|.*OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ.*|.*oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA.*|.*6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA.*|.*OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ.*|.*oAOgAoACcATABvACcAKwAnAGEAZAAnACkA.*|.*6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA.*|.*OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ.*|.*oAOgAoACcATABvAGEAJwArACcAZAAnACkA.*|.*6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA.*|.*ADoAOgAoACcATABvAGEAJwArACcAZAAnACk.*|.*ADoAOgAoACcATABvACcAKwAnAGEAZAAnACk.*|.*ADoAOgAoACcATAAnACsAJwBvAGEAZAAnACk.*|.*ADoAOgAoACIATABvAGEAIgArACIAZAAiACk.*|.*ADoAOgAoACIATABvACIAKwAiAGEAZAAiACk.*|.*ADoAOgAoACIATAAiACsAIgBvAGEAZAAiACk.*]`) and
$decoded_value = strings.base64_decode(re.capture($selection.target.process.command_line, `[.*WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA.*|.*sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA.*|.*bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA.*|.*AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC.*|.*BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp.*|.*AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK.*|.*WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ.*|.*sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA.*|.*bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA.*|.*WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA.*|.*sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA.*|.*bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA.*|.*OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ.*|.*oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA.*|.*6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA.*|.*OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ.*|.*oAOgAoACIATABvACIAKwAiAGEAZAAiACkA.*|.*6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA.*|.*OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ.*|.*oAOgAoACIATABvAGEAIgArACIAZAAiACkA.*|.*6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA.*|.*OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ.*|.*oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA.*|.*6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA.*|.*OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ.*|.*oAOgAoACcATABvACcAKwAnAGEAZAAnACkA.*|.*6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA.*|.*OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ.*|.*oAOgAoACcATABvAGEAJwArACcAZAAnACkA.*|.*6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA.*|.*ADoAOgAoACcATABvAGEAJwArACcAZAAnACk.*|.*ADoAOgAoACcATABvACcAKwAnAGEAZAAnACk.*|.*ADoAOgAoACcATAAnACsAJwBvAGEAZAAnACk.*|.*ADoAOgAoACIATABvAGEAIgArACIAZAAiACk.*|.*ADoAOgAoACIATABvACIAKwAiAGEAZAAiACk.*|.*ADoAOgAoACIATAAiACsAIgBvAGEAZAAiACk.*]`))
)
or
(
re.regex($selection.target.process.command_line, `[.*OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ.*|.*oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA.*|.*6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA.*|.*OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ.*|.*oAOgAoACIATABvACIAKwAiAGEAZAAiACkA.*|.*6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA.*|.*OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ.*|.*oAOgAoACIATABvAGEAIgArACIAZAAiACkA.*|.*6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA.*|.*OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ.*|.*oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA.*|.*6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA.*|.*OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ.*|.*oAOgAoACcATABvACcAKwAnAGEAZAAnACkA.*|.*6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA.*|.*OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ.*|.*oAOgAoACcATABvAGEAJwArACcAZAAnACkA.*|.*6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA.*|.*ADoAOgAoACcATABvAGEAJwArACcAZAAnACk.*|.*ADoAOgAoACcATABvACcAKwAnAGEAZAAnACk.*|.*ADoAOgAoACcATAAnACsAJwBvAGEAZAAnACk.*|.*ADoAOgAoACIATABvAGEAIgArACIAZAAiACk.*|.*ADoAOgAoACIATABvACIAKwAiAGEAZAAiACk.*|.*ADoAOgAoACIATAAiACsAIgBvAGEAZAAiACk.*]`) and
$encoded_value = re.capture($selection.target.process.command_line, `[.*OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ.*|.*oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA.*|.*6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA.*|.*OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ.*|.*oAOgAoACIATABvACIAKwAiAGEAZAAiACkA.*|.*6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA.*|.*OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ.*|.*oAOgAoACIATABvAGEAIgArACIAZAAiACkA.*|.*6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA.*|.*OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ.*|.*oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA.*|.*6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA.*|.*OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ.*|.*oAOgAoACcATABvACcAKwAnAGEAZAAnACkA.*|.*6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA.*|.*OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ.*|.*oAOgAoACcATABvAGEAJwArACcAZAAnACkA.*|.*6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA.*|.*ADoAOgAoACcATABvAGEAJwArACcAZAAnACk.*|.*ADoAOgAoACcATABvACcAKwAnAGEAZAAnACk.*|.*ADoAOgAoACcATAAnACsAJwBvAGEAZAAnACk.*|.*ADoAOgAoACIATABvAGEAIgArACIAZAAiACk.*|.*ADoAOgAoACIATABvACIAKwAiAGEAZAAiACk.*|.*ADoAOgAoACIATAAiACsAIgBvAGEAZAAiACk.*]`) and
$decoded_value = strings.base64_decode(re.capture($selection.target.process.command_line, `[.*OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ.*|.*oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA.*|.*6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA.*|.*OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ.*|.*oAOgAoACIATABvACIAKwAiAGEAZAAiACkA.*|.*6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA.*|.*OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ.*|.*oAOgAoACIATABvAGEAIgArACIAZAAiACkA.*|.*6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA.*|.*OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ.*|.*oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA.*|.*6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA.*|.*OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ.*|.*oAOgAoACcATABvACcAKwAnAGEAZAAnACkA.*|.*6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA.*|.*OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ.*|.*oAOgAoACcATABvAGEAJwArACcAZAAnACkA.*|.*6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA.*|.*ADoAOgAoACcATABvAGEAJwArACcAZAAnACk.*|.*ADoAOgAoACcATABvACcAKwAnAGEAZAAnACk.*|.*ADoAOgAoACcATAAnACsAJwBvAGEAZAAnACk.*|.*ADoAOgAoACIATABvAGEAIgArACIAZAAiACk.*|.*ADoAOgAoACIATABvACIAKwAiAGEAZAAiACk.*|.*ADoAOgAoACIATAAiACsAIgBvAGEAZAAiACk.*]`))
)
or
(
re.regex($selection.target.process.command_line, `[.*AC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGU.*|.*AAC4AZABvAHcAbgBsAG8AYQBkAGYAaQBsAGU.*|.*AC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBn.*|.*AC4AZABvAHcAbgBsAG8AYQBkAGQAYQB0AGE.*]`) and
$encoded_value = re.capture($selection.target.process.command_line, `[.*AC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGU.*|.*AAC4AZABvAHcAbgBsAG8AYQBkAGYAaQBsAGU.*|.*AC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBn.*|.*AC4AZABvAHcAbgBsAG8AYQBkAGQAYQB0AGE.*]`) and
$decoded_value = strings.base64_decode(re.capture($selection.target.process.command_line, `[.*AC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGU.*|.*AAC4AZABvAHcAbgBsAG8AYQBkAGYAaQBsAGU.*|.*AC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBn.*|.*AC4AZABvAHcAbgBsAG8AYQBkAGQAYQB0AGE.*]`))
)
or
(
re.regex($selection.target.process.command_line, `[.*VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ.*|.*cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA.*|.*XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A.*|.*V2luMzJfU2hhZG93Y29we.*|.*dpbjMyX1NoYWRvd2NvcH.*|.*XaW4zMl9TaGFkb3djb3B5.*|.*VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA.*|.*cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA.*|.*XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg.*|.*V2luMzJfU2NoZWR1bGVkSm9i.*|.*dpbjMyX1NjaGVkdWxlZEpvY.*|.*XaW4zMl9TY2hlZHVsZWRKb2.*|.*VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw.*|.*cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA.*|.*XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA.*|.*V2luMzJfUHJvY2Vzc.*|.*dpbjMyX1Byb2Nlc3.*|.*XaW4zMl9Qcm9jZXNz.*|.*VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A.*|.*cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA.*|.*XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA.*|.*V2luMzJfVXNlckFjY291bn.*|.*dpbjMyX1VzZXJBY2NvdW50.*|.*XaW4zMl9Vc2VyQWNjb3Vud.*|.*VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA.*|.*cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA.*|.*XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg.*|.*V2luMzJfTG9nZ2VkT25Vc2Vy.*|.*dpbjMyX0xvZ2dlZE9uVXNlc.*|.*XaW4zMl9Mb2dnZWRPblVzZX.*]`) and
$encoded_value = re.capture($selection.target.process.command_line, `[.*VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ.*|.*cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA.*|.*XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A.*|.*V2luMzJfU2hhZG93Y29we.*|.*dpbjMyX1NoYWRvd2NvcH.*|.*XaW4zMl9TaGFkb3djb3B5.*|.*VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA.*|.*cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA.*|.*XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg.*|.*V2luMzJfU2NoZWR1bGVkSm9i.*|.*dpbjMyX1NjaGVkdWxlZEpvY.*|.*XaW4zMl9TY2hlZHVsZWRKb2.*|.*VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw.*|.*cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA.*|.*XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA.*|.*V2luMzJfUHJvY2Vzc.*|.*dpbjMyX1Byb2Nlc3.*|.*XaW4zMl9Qcm9jZXNz.*|.*VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A.*|.*cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA.*|.*XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA.*|.*V2luMzJfVXNlckFjY291bn.*|.*dpbjMyX1VzZXJBY2NvdW50.*|.*XaW4zMl9Vc2VyQWNjb3Vud.*|.*VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA.*|.*cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA.*|.*XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg.*|.*V2luMzJfTG9nZ2VkT25Vc2Vy.*|.*dpbjMyX0xvZ2dlZE9uVXNlc.*|.*XaW4zMl9Mb2dnZWRPblVzZX.*]`) and
$decoded_value = strings.base64_decode(re.capture($selection.target.process.command_line, `[.*VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ.*|.*cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA.*|.*XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A.*|.*V2luMzJfU2hhZG93Y29we.*|.*dpbjMyX1NoYWRvd2NvcH.*|.*XaW4zMl9TaGFkb3djb3B5.*|.*VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA.*|.*cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA.*|.*XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg.*|.*V2luMzJfU2NoZWR1bGVkSm9i.*|.*dpbjMyX1NjaGVkdWxlZEpvY.*|.*XaW4zMl9TY2hlZHVsZWRKb2.*|.*VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw.*|.*cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA.*|.*XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA.*|.*V2luMzJfUHJvY2Vzc.*|.*dpbjMyX1Byb2Nlc3.*|.*XaW4zMl9Qcm9jZXNz.*|.*VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A.*|.*cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA.*|.*XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA.*|.*V2luMzJfVXNlckFjY291bn.*|.*dpbjMyX1VzZXJBY2NvdW50.*|.*XaW4zMl9Vc2VyQWNjb3Vud.*|.*VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA.*|.*cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA.*|.*XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg.*|.*V2luMzJfTG9nZ2VkT25Vc2Vy.*|.*dpbjMyX0xvZ2dlZE9uVXNlc.*|.*XaW4zMl9Mb2dnZWRPblVzZX.*]`))
)
)
match:
$hostname over 1h
outcome:
$encoded_string = $encoded_value
$decoded_string = $decoded_value
condition:
$selection
}
