Detects an base64 encoded executable (often embedded)

Hunt Hypothesis

Adversaries may encode malicious executables in base64 to evade basic detection mechanisms and embed them within legitimate files. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential stealthy malware delivery methods that bypass traditional signature-based detection.

YARA Rule

rule Base64_encoded_Executable {
	meta:
		description = "Detects an base64 encoded executable (often embedded)"
		author = "Florian Roth"
		date = "2015-05-28"
		score = 50
	strings:
		$s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA" // 14 samples in goodware archive
		$s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA" // 26 samples in goodware archive
		$s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA" // 75 samples in goodware archive
		$s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA" // 168 samples in goodware archive
		$s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA" // 28,529 samples in goodware archive
	condition:
		1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator uses base64 to encode a script for secure transmission over an unencrypted channel.
  Filter/Exclusion: Check for the presence of base64 in the command line with known administrative tools (e.g., base64 -d for decoding) or filter by user context (e.g., user == "admin") and process name (e.g., bash or sh).

• Scenario: A scheduled job runs a PowerShell script that encodes a payload for obfuscation purposes.
  Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., schtasks.exe) or filter by script paths (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe with known job directories).

• Scenario: A developer uses xxencode to encode a binary file for inclusion in a documentation file or archive.
  Filter/Exclusion: Exclude files with known documentation extensions (e.g., .docx, .pdf, .txt) or filter by user context (e.g., user == "dev" or user == "developer").

• Scenario: A backup process uses base64 encoding to compress and encode data before storing it in a database.
  Filter/Exclusion: Exclude processes related to backup services (e.g., vssadmin, wbadmin, or backupexec) or filter by database connection strings or known backup directories.

• Scenario: A security tool like CVE-2021-40444 exploit detection script encodes payloads for testing purposes.
  Filter/Exclusion: Exclude processes associated with security testing tools (e.g., nuclei, bandit, or nessus) or filter by known test environments (e.g., test