Detection rules › Panther
Execution of Command Line Tool with Base64 Encoded Arguments
Detects the execution of common command line tools (e.g., PowerShell, cmd.exe) with Base64 encoded arguments, which could indicate an attempt to obfuscate malicious commands.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | No specific technique |
Rule body yaml
AnalysisType: rule
Filename: crowdstrike_base64_encoded_args.py
RuleID: Crowdstrike.Base64EncodedArgs
DisplayName: Execution of Command Line Tool with Base64 Encoded Arguments
Enabled: true
LogTypes:
- Crowdstrike.FDREvent
Tags:
- Execution
- Obfuscation
Severity: Medium
Description: Detects the execution of common command line tools (e.g., PowerShell, cmd.exe) with Base64 encoded arguments, which could indicate an attempt to obfuscate malicious commands.
Runbook: Investigate the endpoint for signs of command line tool execution with Base64 encoded arguments. Review the executed command, decode the Base64 string, and analyze the original content.
Reference: https://www.crowdstrike.com/blog/blocking-fileless-script-based-attacks-using-falcon-script-control-feature/
DedupPeriodMinutes: 60
Tests:
- Name: Command Line Tool Execution with Base64 Argument (Positive)
ExpectedResult: true
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EncodedCommand \"aGVsbG93b3JsZA==\" -SomeExtraCommand \"HelloWorld\"",
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution with Base64 Argument 2 (Positive)
ExpectedResult: true
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EncodedCommand c29tZXRoaW5n -SomeExtraCommand \"HelloWorld\"",
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution without Base64 Argument (Negative)
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WriteHost \"HelloWorld123\" wget test = good",
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Mac - Git
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.4.0016304.11",
"ConfigStateHash": "3521399940",
"Entitlements": "15",
"aid": "1ba46982062b43redacted",
"aip": "1.1.1.1",
"cid": "712bcd164963442ea43d5redacted",
"event":
{
"CodeSigningFlags": "570503953",
"CommandLine": "/Applications/Sourcetree.app/Contents/Resources/git_local/bin/git --no-pager --EncodedString aGVsbG93b3JsZA==",
"ConfigBuild": "1007.4.0016304.11",
"ConfigStateHash": "3521399940",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"GID": "20",
"ImageFileName": "/Applications/Sourcetree.app/Contents/Resources/git_local/bin/git",
"MD5HashData": "redacted",
"MachOSubType": "1",
"ParentBaseFileName": "Sourcetree",
"ParentProcessId": "466750419375415990",
"ProcessEndTime": "",
"ProcessGroupId": "468193711305251738",
"ProcessStartTime": "1675441378.504",
"RGID": "501",
"RUID": "501",
"RawProcessId": "30138",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "f154d8e18001e2fb7ae36d1eca1e833ddac057dd946fbb76ee14121a5e293538",
"SVGID": "20",
"SVUID": "501",
"SessionProcessId": "466750413792797092",
"SigningId": "git",
"SourceProcessId": "466750419375415990",
"SourceThreadId": "0",
"Tags": "12094627905582, 12094627906234",
"TargetProcessId": "468193711305251738",
"UID": "501",
"aid": "1ba46982062b43redacted",
"aip": "1.1.1.1",
"cid": "712bcd164963442ea43d5redacted",
"event_platform": "Mac",
"event_simpleName": "ProcessRollup2",
"id": "21fd2f8b-de5f-4ab0-b188-4bbb8c80224d",
"name": "ProcessRollup2MacV7",
"timestamp": "1675441380830",
},
"event_platform": "Mac",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "21fd2f8b-de5f-4ab0-b188-4bbb8c80224d",
"name": "ProcessRollup2MacV7",
"p_any_ip_addresses": ["1.1.1.1"],
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-02-03 16:23:00.83",
}
- Name: Command Line Tool Execution without Base64 Argument (Negative) 2
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": "/c powercfg /requests",
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution without Base64 Argument (Negative) 3
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": "powershell.exe -c D:\\Atlas\\Scripts\\CopyBakToS3Job.ps1",
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution without Base64 Argument (Negative) 4
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": "Powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -NoLogo -File C:\\opt\\sensu\\plugins\\check-windows-disk.ps1 90 95",
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution without Base64 Argument (Negative) 5
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": "C:\\windows\\system32\\cmd.exe /S /D /c\" ECHO F\"",
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution without Base64 Argument (Negative) 6
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": '"C:\Windows\system32\cmd.exe" /Q /C ""C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\uninstall.cmd" --dir="C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0""',
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution without Base64 Argument (Negative) 7
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": 'cmd /c "node -v"',
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: base64 quoted argument
ExpectedResult: true
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": '/usr/bin/somebinary --b64="aGVsbG8taXMtaXQtbWUteW91cmUtbG9va2luZy1mb3IK"',
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: base64 prefixed argument
ExpectedResult: true
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": '/usr/bin/somebinary --b64=aGVsbG8taXMtaXQtbWUteW91cmUtbG9va2luZy1mb3==',
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: no image name
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": '/usr/bin/somebinary --b64=aGVsbG8taXMtaXQtbWUteW91cmUtbG9va2luZy1mb3==',
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution with Base64 Argument (Positive) - Non-ASCII char
ExpectedResult: true
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": "powershell.exe -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBoAHQAdABwADoALwAvAGwAbwBjAGEAbABoAG8AcwB0ADoANgAwADAANgAvACIA",
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "00000000004a672949fdd139d7ab1994",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "00000000006d378c65c9f4a8b3cfd909ecc89da96bc6cdb3e3aced7e1cce251c",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "111111111111",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution with Portuguese non-ASCII characters (Positive)
ExpectedResult: true
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": "PowerShell.exe -NoProfile -ExecutionPolicy Bypass -File \"C:\\Program Files\\Program\\policies\\logon.ps1\" -NOTICETEXTSTRING \"Já conferiu as atualizações hoje?\" -NOTICECAPTIONSTRING Atualização -EncodedCommand c29tZXRoaW5n",
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "0000000000e664180df54a59ceaa976d",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "0000000000df01c3b8a21a5684c9f16fbc1b97049676c43262cc31c73f910da1",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "111111111111",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Windows Centennial App - NewUpdatesReadyToApply (Negative - False Positive Fix)
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "72821324f4394cb18366154f95efeefc",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": "powershell.exe -Command start 'dcu.centennial: Create NewUpdatesReadyToApply'",
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume3\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "cmd.exe",
"ParentProcessId": "1170961674455",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "17584",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "0ff6f2c94bc7e2833a5f7e16de1622e5dba70396f31c7d5f56381870317e8c46",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "1170964331829",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "72821324f4394cb18366154f95efeefc",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"platform": "Win",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: PowerShell UTF-16LE Encoded Command - Get-ItemProperty (Positive)
ExpectedResult: true
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": "powershell.exe -NoProfile -EncodedCommand KABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwAVABpAG0AZQBaAG8AbgBlAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAgAC0ATgBhAG0AZQAgAFIAZQBhAGwAVABpAG0AZQBJAHMAVQBuAGkAdgBlAHIAcwBhAGwAKQAuAFIAZQBhAGwAVABpAG0AZQBJAHMAVQBuAGkAdgBlAHIAcwBhAGwA",
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "python.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: PowerShell -Command with plain English args - no encoding flag (Negative)
ExpectedResult: false
Log:
{
"aid": "2c1d1b0b1e324c5894399c8b870994d4",
"aip": "46.17.161.146",
"cid": "e4a46c2a445744f7860dcf62bf1b6ad4",
"event":
{
"CommandLine": "\"powershell.exe\" -ExecutionPolicy Bypass -NoProfile -Command \\\"1-GPUpdate -Name 'Require user authentication for remote connections by using Network Level Authentication' -Force\\\"",
"ImageFileName": "\\Device\\HarddiskVolume3\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ParentBaseFileName": "ThreatLockerService.exe",
"UserSid": "S-1-5-18",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"name": "ProcessRollup2V19",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2026-02-24 16:38:26.949000000",
}
- Name: PowerShell -enc abbreviated flag (Positive)
ExpectedResult: true
Log:
{
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"CommandLine": "powershell.exe -NoProfile -enc aGVsbG93b3JsZA==",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ParentBaseFileName": "cmd.exe",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"name": "ProcessRollup2V19",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: PowerShell -e abbreviated flag (Positive)
ExpectedResult: true
Log:
{
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"CommandLine": "powershell.exe -NoProfile -e aGVsbG93b3JsZA==",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ParentBaseFileName": "cmd.exe",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"name": "ProcessRollup2V19",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
Detection logic
Condition
process_name is_not_null
fdr_event_type eq "ProcessRollup2"
event_platform eq "Win"
process_name in ["powershell.exe", "cmd.exe", "cscript.exe", "wscript.exe", "rundll32.exe"]
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event_platform | eq |
|
fdr_event_type | eq |
|
process_name | in |
|
process_name | is_not_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
aid | |
CommandLine | |
TargetProcessId | |
RawProcessId | |
ParentBaseFileName | |
ParentProcessId | |
ImageFileName | |
SHA256Hash | SHA256HashData |
platform | event_platform |