Adversaries may use FGIntToBase256String to encode data in a format that could be used for obfuscation or communication within a network. SOC teams should proactively hunt for this behavior to identify potential covert data exfiltration or command-and-control activity in their Azure Sentinel environment.
YARA Rule
rule FGint_FGIntToBase256String
{ meta:
author = "_pusher_"
date = "2015-06"
version = "0.2"
description = "FGint FGIntToBase256String"
strings:
$c0 = { 55 8B EC 33 C9 51 51 51 51 53 56 8B F2 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 FC E8 ?? ?? ?? ?? EB 10 8D 45 FC 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 07 00 00 80 79 05 48 83 C8 F8 40 85 C0 75 D8 8B 45 FC E8 ?? ?? ?? ?? 8B D8 85 DB 79 03 83 C3 07 C1 FB 03 8B C6 E8 ?? ?? ?? ?? 85 DB 76 4B 8D 45 F4 50 B9 08 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 55 F4 8D 45 FB E8 ?? ?? ?? ?? 8D 45 F0 8A 55 FB E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8D 45 FC B9 08 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 4B 75 B5 }
$c1 = { 55 8B EC 33 C9 51 51 51 51 53 56 8B F2 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 FC E8 ?? ?? ?? ?? EB 10 8D 45 FC 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 07 00 00 80 79 05 48 83 C8 F8 40 85 C0 75 D8 8B 45 FC 85 C0 74 05 83 E8 04 8B 00 8B D8 85 DB 79 03 83 C3 07 C1 FB 03 8B C6 E8 ?? ?? ?? ?? 85 DB 76 4C 8D 45 F4 50 B9 08 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 55 F4 8D 45 FB E8 ?? ?? ?? ?? 8D 45 F0 0F B6 55 FB E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8D 45 FC B9 08 00 00 00 BA 01 00 00 00 E8 }
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system management tool (e.g., Chef, Puppet, or Ansible) is executing a scheduled job that generates FGint values during normal configuration updates.
Filter/Exclusion: Check for processes related to configuration management tools using process.name or process.args containing “chef”, “puppet”, or “ansible”.
Scenario: A database backup tool (e.g., MySQL, PostgreSQL, or MongoDB) is performing a backup and generates FGint values as part of its internal logging or metadata processing.
Filter/Exclusion: Filter events where process.name matches the backup tool’s name or includes “backup” in the command line arguments.
Scenario: A security tool (e.g., CrowdStrike, Microsoft Defender, or Splunk) is generating FGint values during signature updates or threat intelligence processing.
Filter/Exclusion: Exclude events where process.name matches the security tool’s name or includes “signature”, “update”, or “threat”.
Scenario: A system administration task (e.g., PowerShell, Task Scheduler, or cron) is running a script that processes FGint values as part of a data conversion or encoding operation.
Filter/Exclusion: Filter events where process.name is powershell.exe or task scheduler and the command line includes “convert” or “encode”.
Scenario: A cloud service provider’s management console (e.g., AWS CLI, Azure CLI, or GCP CLI) is interacting with the system and generates FGint values during API calls or resource management operations.
Filter/Exclusion: Exclude events where process.name is aws, az, or gcloud and the command line includes “describe”, “list”, or “get”.