Adversaries may use base64 decoding to obfuscate malicious payloads or exfiltrate data, making it a potential indicator of command and control activity. Proactively hunting for base64 decoding in Azure Sentinel can help identify covert communication or data exfiltration attempts that evade basic detection mechanisms.
Detection Rule
title: Decode Base64 Encoded Text
id: e2072cab-8c9a-459b-b63c-40ae79e27031
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.t1027
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/base64'
CommandLine|contains: '-d' # Also covers "--decode"
condition: selection
falsepositives:
- Legitimate activities
level: low
imProcessCreate
| where TargetProcessName endswith "/base64" and TargetProcessCommandLine contains "-d"Scenario: A system administrator uses the base64 command to decode a base64-encoded string as part of a script to verify data integrity.
Filter/Exclusion: Exclude processes where the command line includes base64 -d and the decoded output is less than 100 characters.
Scenario: A scheduled job runs a script that uses base64 to decode a token for API authentication, which is part of a CI/CD pipeline.
Filter/Exclusion: Exclude processes where the command line includes base64 -d and the decoded string matches a known API token pattern (e.g., Bearer <token>).
Scenario: A developer uses the Python base64 module to decode a string during debugging or testing.
Filter/Exclusion: Exclude processes where the command line includes python and the script path contains debug.py or test_*.py.
Scenario: A backup job uses base64 to decode a compressed archive that was previously encoded for storage.
Filter/Exclusion: Exclude processes where the command line includes base64 -d and the file path contains backup_*.tar.gz or similar naming patterns.
Scenario: A security tool or SIEM system uses base64 to decode log entries that were encoded for transmission.
Filter/Exclusion: Exclude processes where the command line includes base64 -d and the process name or parent process is a known security tool (e.g., splunk, logstash, or syslog-ng).