Adversaries may encode malicious binaries as base64 within certificate files to evade standard file-based detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate stealthy malware delivery tactics that bypass traditional detection methods.
YARA Rule
rule Binary_Drop_Certutil
{
meta:
description = "Drop binary as base64 encoded cert trick"
author = "Florian Roth"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is manually decoding a base64-encoded certificate for verification using openssl or base64 command-line tools.
Filter/Exclusion: Exclude processes where the command includes openssl or base64 and the file being decoded is a known certificate file (e.g., .crt, .cer).
Scenario: A scheduled job runs to update trusted root certificates using a tool like certutil or update-ca-trust on Linux systems.
Filter/Exclusion: Exclude processes initiated by cron jobs or systemd timers, and filter for known certificate update tools.
Scenario: A developer is using a CI/CD pipeline (e.g., Jenkins, GitLab CI) to encode a certificate as base64 for inclusion in a config file or API request.
Filter/Exclusion: Exclude processes associated with CI/CD agents or tools, and filter for files with .base64 or .txt extensions that are known to contain certificates.
Scenario: A security tool like certwatch or sslscan is analyzing certificates and encoding them as base64 for output or logging.
Filter/Exclusion: Exclude processes with known security monitoring tools in their command line or process name.
Scenario: A system is running a scheduled backup job that includes base64-encoded certificate files as part of a backup archive.
Filter/Exclusion: Exclude processes related to backup tools (e.g., rsync, tar, backuppc) and filter for files with .tar, .zip, or .gz extensions that contain certificate data.