decode

This is example from WPNinja Summit 2022 session "Throwing KQL like a shuriken". Presented by Gianni Castaldi and Alex Verboon 

DeviceProcessEvents
| extend EncodedString = extract(@" -[eE][^xXrR]\S* ([a-zA-Z0-9]*={0,2})", 1, ProcessCommandLine)
| where isnotempty(EncodedString)

DeviceProcessEvents
| extend EncodedString = extract(@" -[eE][^xXrR]\S* ([a-zA-Z0-9]*={0,2})", 1, ProcessCommandLine)
| where isnotempty(EncodedString)
| where strlen(EncodedString) >= 4
| extend DecodedString = base64_decode_tostring(EncodedString)
| where isnotempty(DecodedString)
| extend DecodedString = replace_string(DecodedString, "\x00", "")
| project-reorder Timestamp, DecodedString
PreviousExtractParseParse-kv-TabularNextmv-apply

Last updated