Adversaries may use Base256StringToGInt to encode malicious payloads within legitimate data streams, evading basic detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert command and control communications or data exfiltration attempts.
YARA Rule
rule FGint_Base256StringToGInt
{ meta:
author = "_pusher_"
date = "2015-05"
description = "FGint Base256StringToGInt"
strings:
$c0 = { 55 8B EC 81 C4 F8 FB FF FF 53 56 57 33 C9 89 4D F8 8B FA 89 45 FC 8B 45 FC ?? ?? ?? ?? ?? B9 00 01 00 00 8D 85 F8 FB FF FF 8B 15 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 55 ?? ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 F8 ?? ?? ?? ?? ?? 8D 85 F8 FB FF FF BA FF 00 00 00 ?? ?? ?? ?? ?? 8B 45 FC ?? ?? ?? ?? ?? 8B D8 85 DB 7E 34 BE 01 00 00 00 8D 45 F8 8B 55 FC 0F B6 54 32 FF 8B 94 95 F8 FB FF FF ?? ?? ?? ?? ?? 46 4B 75 E5 EB 12 8D 45 F8 B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? 8B 45 F8 80 38 30 75 0F }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using base64dec (from the base64dec tool) to decode a Base64 string as part of a routine data processing task.
Filter/Exclusion: Check for the presence of base64dec in the command line or process name, and exclude processes initiated by the admin account with known legitimate scripts.
Scenario: A scheduled job runs gint (a command-line utility for handling GInt data) to convert Base256 strings to GInt values during nightly data synchronization.
Filter/Exclusion: Exclude processes associated with the scheduled job name (e.g., sync_data_job) and filter by user account used for the job.
Scenario: A developer is using gint in a script to parse Base256-encoded data from a log file during a debugging session.
Filter/Exclusion: Exclude processes running under the developer’s user account and filter by script names or paths that are known to be used for debugging.
Scenario: A system update or patching task uses a script that includes a Base256-to-GInt conversion to validate checksums or hashes.
Filter/Exclusion: Exclude processes initiated by the patching tool (e.g., patchmgr) and filter by script names or paths associated with system updates.
Scenario: A security tool or SIEM integration uses gint to decode Base256 strings as part of log normalization or data enrichment.
Filter/Exclusion: Exclude processes initiated by the SIEM tool (e.g., splunk, logstash) and filter by known integration scripts or modules.