Windows host username encoded in base64 web request

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table. This technique was seen usee by POLONIUM in their RunningRAT tool.

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	6e715730-82c0-496c-983b-7a20c4590bd9
Severity	Medium
Kind	Scheduled
Tactics	Exfiltration, CommandAndControl
Techniques	T1041, T1071.001
Required Connectors	Zscaler, Fortinet, CheckPoint, PaloAltoNetworks, MicrosoftThreatProtection
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
CommonSecurityLog	✓	✓	?
DeviceEvents	✓	✗	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
CefAma	Common Event Format
CloudNSSAuditLogs_ccp	Zscaler Internet Access
CloudNSSCASBActivityLogs_ccp	Zscaler Internet Access
CloudNSSCASBCRMLogs_ccp	Zscaler Internet Access
CloudNSSCASBCloudStorageLogs_ccp	Zscaler Internet Access
CloudNSSCASBCollabLogs_ccp	Zscaler Internet Access
CloudNSSCASBEmailLogs_ccp	Zscaler Internet Access
CloudNSSCASBFileSharingLogs_ccp	Zscaler Internet Access
CloudNSSCASBITSMLogs_ccp	Zscaler Internet Access
CloudNSSCASBRepoLogs_ccp	Zscaler Internet Access
CloudNSSDNSLogs_ccp	Zscaler Internet Access
CloudNSSEmailDLPLogs_ccp	Zscaler Internet Access
CloudNSSEndpointDLPLogs_ccp	Zscaler Internet Access
CloudNSSFWLogs_ccp	Zscaler Internet Access
CloudNSSTunnelLogs_ccp	Zscaler Internet Access
CloudNSSWebLogs_ccp	Zscaler Internet Access
VirtualMetricDirectorProxy	VirtualMetric DataStream
VirtualMetricMSSentinelConnector	VirtualMetric DataStream
VirtualMetricMSSentinelDataLakeConnector	VirtualMetric DataStream

Solutions: Common Event Format, VirtualMetric DataStream, Zscaler Internet Access

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules