Look for Base64 table

Hunt Hypothesis

Adversaries may encode malicious payloads using Base64 to evade simple string-based detection mechanisms. SOC teams should proactively hunt for Base64 tables in Azure Sentinel to identify potential obfuscation techniques used in advanced persistent threats.

YARA Rule

rule BASE64_table {
	meta:
		author = "_pusher_"
		description = "Look for Base64 table"
		date = "2015-07"
		version = "0.1"
	strings:
		$c0 = { 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Base64 encoding used in log files for data compression or obfuscation
  Filter/Exclusion: Exclude logs generated by tools like gzip, bzip2, or base64 when used for log compression or encoding.
  Example Filter: process.name != "gzip" AND process.name != "bzip2" AND process.name != "base64"

• Scenario: Base64 encoding used in scheduled jobs for data transfer
  Filter/Exclusion: Exclude jobs run by tools like cron, systemd, or task scheduler that encode data for API calls or file transfers.
  Example Filter: process.name != "cron" AND process.name != "systemd" AND process.name != "task scheduler"

• Scenario: Base64 encoding used in administrative tasks for secure credential handling
  Filter/Exclusion: Exclude administrative tasks involving tools like ssh, scp, or openssl where Base64 is used for encoding credentials.
  Example Filter: process.name != "ssh" AND process.name != "scp" AND process.name != "openssl"

• Scenario: Base64 encoding used in internal data serialization (e.g., JSON or XML)
  Filter/Exclusion: Exclude processes that serialize data using tools like jq, xmlstarlet, or custom scripts that use Base64 for internal data handling.
  Example Filter: process.name != "jq" AND process.name != "xmlstarlet" AND process.name != "python"

• Scenario: Base64 encoding used in user-generated content (e.g., email attachments or web forms)
  Filter/Exclusion: Exclude content handled by web servers like Apache, Nginx, or email clients like Postfix where Base64 is used for encoding user data.
  **Example Filter