Adversaries may use Base10StringToGInt to obfuscate or encode malicious payloads within logs, leveraging Azure Sentinel’s log data for command and control communication. SOC teams should proactively hunt for this behavior to identify potential covert data exfiltration or C2 activity hidden within legitimate log entries.
YARA Rule
rule FGint_Base10StringToGInt
{ meta:
author = "_pusher_"
date = "2015-06"
version = "0.2"
description = "FGint Base10StringToGInt"
strings:
$c0 = { 55 8B EC B9 04 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 8B DA 89 45 FC 8B 45 FC ?? ?? ?? ?? ?? 33 C0 55 ?? ?? ?? ?? ?? 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? 8B 45 FC 8A 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC ?? ?? ?? ?? ?? 48 7F D4 8D 45 E4 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC ?? ?? ?? ?? ?? 8B 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 18 C6 45 EB 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? EB 18 C6 45 EB 01 EB 12 8D 45 FC }
$c1 = { 55 8B EC 83 C4 D8 53 56 57 33 C9 89 4D D8 89 4D DC 89 4D E0 89 4D E4 89 4D EC 8B DA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 0F 42 45 00 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 8B 45 FC 8A 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC E8 ?? ?? ?? ?? 48 7F D4 8D 45 E4 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 45 E4 BA 28 42 45 00 E8 ?? ?? ?? ?? 75 18 C6 45 EB 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? EB 18 C6 45 EB 01 }
$c2 = { 55 8B EC 83 C4 D8 53 56 33 C9 89 4D D8 89 4D DC 89 4D E0 89 4D F8 89 4D F4 8B DA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 A6 32 47 00 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 8B 45 FC 0F B6 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC E8 ?? ?? ?? ?? 48 7F D3 8D 45 E0 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 45 E0 BA BC 32 47 00 E8 ?? ?? ?? ?? 75 18 C6 45 E9 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? EB 18 C6 45 E9 01 }
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is manually entering a numeric value into a configuration file using a text editor.
Filter/Exclusion: Exclude events where the source is a known configuration management tool (e.g., vim, nano, or sed) or where the process is associated with a system admin account.
Scenario: A scheduled job runs a script that generates a numeric string as part of log file rotation or backup processes.
Filter/Exclusion: Exclude events where the process name matches a known backup or log management tool (e.g., logrotate, rsync, or cron).
Scenario: A developer is using a command-line tool like grep or awk to process numeric data in log files.
Filter/Exclusion: Exclude events where the command line includes grep, awk, or sed, or where the process is associated with a development environment.
Scenario: A database administrator is executing a query that returns numeric results, such as a count or a numeric ID.
Filter/Exclusion: Exclude events where the process is associated with a database management system (e.g., mysql, postgres, or sqlcmd).
Scenario: A network monitoring tool like tcpdump or Wireshark is capturing numeric values in packet payloads.
Filter/Exclusion: Exclude events where the process is associated with a network analysis tool (e.g., tcpdump, tshark, or Wireshark).