FGint ConvertHexStringToBase256String

Hunt Hypothesis

Adversaries may use this rule to covertly encode data by converting hexadecimal strings to Base256, potentially obfuscating malicious payloads or exfiltration data. SOC teams should proactively hunt for this behavior to identify potential data encoding activities that could indicate advanced persistent threats or data exfiltration attempts.

YARA Rule

rule FGint_ConvertHexStringToBase256String
{	meta:
		author = "_pusher_"
		date = "2015-06"
		version = "0.2"
		description = "FGint ConvertHexStringToBase256String"
	strings:
		$c0 = { 55 8B EC 83 C4 F0 53 56 33 C9 89 4D F0 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? D1 F8 79 03 83 D0 00 85 C0 7E 5F 89 45 F4 BE 01 00 00 00 8B C6 03 C0 8B 55 FC 8A 54 02 FF 8B 4D FC 8A 44 01 FE 3C 3A 73 0A 8B D8 80 EB 30 C1 E3 04 EB 08 8B D8 80 EB 37 C1 E3 04 80 FA 3A 73 07 80 EA 30 0A DA EB 05 80 EA 37 0A DA 8D 45 F0 8B D3 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to convert a hex string to base256 for a custom script or log parsing task.
  Filter/Exclusion: process.name != "powershell.exe" or check for known admin tools in a whitelist.

• Scenario: A scheduled job runs nightly to process hex-encoded data from a database using a script written in Python or Bash.
  Filter/Exclusion: process.name != "python", process.name != "bash" or check for job names in a known legitimate job list.

• Scenario: A network monitoring tool like Wireshark or tcpdump captures hex-encoded packets for analysis, which are then decoded using a script.
  Filter/Exclusion: process.name != "tcpdump", process.name != "wireshark", or check for known network analysis tools in a whitelist.

• Scenario: A security tool like OSSEC or Snort generates hex-encoded logs that are later decoded by a log processing system.
  Filter/Exclusion: process.name != "ossec", process.name != "snort", or check for known security tool processes.

• Scenario: A backup job uses a script to convert hex strings to base256 for data integrity checks, such as in Veeam or Commvault.
  Filter/Exclusion: process.name != "veeam" or process.name != "commvault" or check for backup-related process names.