The detection rule identifies potential use of the atob JavaScript function, which may indicate base64 decoding activity commonly used in data exfiltration or command and control communications. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage adversarial activity that could lead to data compromise or persistence.
YARA Rule
rule atob_js {
strings: $ = "this['eval'](this['atob']('"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate Base64 Decoding in Scripting Tools
Description: A developer uses atob() in a JavaScript snippet to decode a base64 string as part of a script in a tool like Node.js or Electron.
Filter/Exclusion: Check for presence of atob() in scripts executed by Node.js or Electron processes, or filter by process name like node or electron.
Scenario: Scheduled Job Using Base64 Encoded Data
Description: A scheduled job (e.g., via cron, Windows Task Scheduler, or Ansible) uses base64 encoded credentials or data for automation.
Filter/Exclusion: Exclude processes associated with cron, task scheduler, or Ansible. Filter by command-line arguments containing --base64 or similar flags.
Scenario: Admin Task Involving Base64 Encoding/Decoding
Description: An admin uses a tool like Python or PowerShell to perform base64 encoding/decoding as part of a data processing task.
Filter/Exclusion: Filter by process names like python or powershell.exe, or check for presence of base64 strings in known admin scripts or logs.
Scenario: Web Application Using Base64 for Data Transmission
Description: A web application (e.g., React, Angular, or Vue.js) uses atob() to decode data sent from the backend, such as images or tokens.
Filter/Exclusion: Exclude requests or processes associated with web servers (e.g., nginx, apache, or IIS), or filter by known application-specific process names.
**Scenario: Debugging or Testing with Base64