FGint ConvertBase256to64

Hunt Hypothesis

The FGint ConvertBase256to64 rule detects potential obfuscation techniques used by adversaries to encode malicious payloads, leveraging base64 conversion as a method to evade simple string-based detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may be using encoding as part of their persistence or command-and-control strategies.

YARA Rule

rule FGint_ConvertBase256to64
{	meta:
		author = "_pusher_"
		date = "2015-05"
		description = "FGint ConvertBase256to64"
	strings:
		$c0 = { 55 8B EC 81 C4 EC FB FF FF 53 56 57 33 C9 89 8D EC FB FF FF 89 8D F0 FB FF FF 89 4D F8 8B FA 89 45 FC B9 00 01 00 00 8D 85 F4 FB FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 F4 FB FF FF BA FF 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 8B D8 85 DB 7E 2F BE 01 00 00 00 8D 45 F8 8B 55 FC 0F B6 54 32 FF 8B 94 95 F4 FB FF FF E8 ?? ?? ?? ?? 46 4B 75 E5 EB }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using certutil to convert base64 encoded certificates to binary format for import into a certificate store.
  Filter/Exclusion: Check for certutil usage in conjunction with known certificate-related command-line arguments (e.g., -decode or -encode).

• Scenario: A scheduled job runs PowerShell scripts that use ConvertTo-Base64 to encode data for logging or transmission purposes.
  Filter/Exclusion: Filter events where the process is powershell.exe and the command line includes ConvertTo-Base64 or similar cmdlets.

• Scenario: A developer is using base64encode in a Python script to encode payload data for API requests during testing.
  Filter/Exclusion: Exclude processes running under a developer user account or where the script path includes known development directories (e.g., C:\Dev\).

• Scenario: A backup tool like Veeam or Commvault performs base64 encoding during data compression or transfer stages.
  Filter/Exclusion: Exclude processes associated with backup tools by checking the process name or parent process tree.

• Scenario: A system update task uses msiexec to install a package that includes base64 encoded payloads for internal use.
  Filter/Exclusion: Exclude processes initiated by the Task Scheduler and associated with known update or patching tools.