The hypothesis is that an adversary is attempting to decode and execute base64-encoded payloads to evade detection, leveraging Azure environment execution capabilities. SOC teams should proactively hunt for this behavior to identify potential command and control communications or payload delivery mechanisms that may bypass traditional detection methods.
YARA Rule
rule eval_base64_decode_a {
strings: $ = "eval(base64_decode($a));"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using base64 to encode a configuration file before uploading it to a remote server.
Filter/Exclusion: Check for the presence of base64 in the context of file uploads or transfer processes, and exclude files with known configuration file extensions (e.g., .conf, .yaml, .json).
Scenario: A scheduled job runs a script that uses base64 to encode logs for archival purposes.
Filter/Exclusion: Filter out base64-encoded data that appears in log files or is associated with log compression tasks, such as those using gzip or tar in conjunction with base64.
Scenario: A DevOps engineer is using base64 to encode sensitive credentials in a CI/CD pipeline (e.g., using base64 in a Jenkins or GitLab CI script).
Filter/Exclusion: Exclude base64 strings that are part of environment variables or secrets management tools like Vault, AWS Secrets Manager, or Kubernetes Secrets.
Scenario: A database administrator is using base64 to encode binary data (e.g., images or PDFs) for storage in a database column.
Filter/Exclusion: Exclude base64 strings that are associated with database operations, such as queries involving INSERT, UPDATE, or SELECT on binary data fields.
Scenario: A system is running a legitimate tool like openssl or base64 as part of a secure communication setup (e.g., encoding data for TLS or SSH).
Filter/Exclusion: Exclude base64 data that is generated by known secure tools or appears in network traffic associated with encrypted protocols (e.g., TLS, SSH, SFTP).