Adversaries may use this rule to encode or decode data using a custom Base256 to Base64 conversion method, potentially exfiltrating or obfuscating malicious payloads. SOC teams should proactively hunt for this behavior to identify potential data exfiltration or command and control communication in their Azure Sentinel environment.
YARA Rule
rule FGint_PGPConvertBase256to64
{ meta:
author = "_pusher_"
date = "2016-08"
description = "FGint PGPConvertBase256to64"
strings:
$c0 = { 55 8B EC 81 C4 E8 FB FF FF 53 56 57 33 C9 89 8D E8 FB FF FF 89 4D F8 89 4D F4 89 4D F0 8B FA 89 45 FC B9 00 01 00 00 8D 85 EC FB FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 EC FB FF FF BA FF 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 E8 ?? ?? ?? ?? 8B 45 FC 8B 00 E8 ?? ?? ?? ?? 8B D8 85 DB 7E 22 BE 01 00 00 00 8D 45 F8 8B 55 FC 8B 12 0F B6 54 32 FF 8B 94 95 EC FB FF FF E8 ?? ?? ?? ?? 46 4B 75 E3 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 85 D2 75 0A 8D 45 F0 E8 ?? ?? ?? ?? EB 4B 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 83 FA 04 75 1C 8D 45 F8 BA 4C 33 40 00 E8 ?? ?? ?? ?? 8D 45 F0 BA 58 33 40 00 E8 ?? ?? ?? ?? EB 1A 8D 45 F8 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 8B D8 85 DB 7E 57 8D 45 F4 50 B9 06 00 00 00 BA 01 00 00 00 8B 45 F8 E8 ?? ?? ?? ?? 8D 45 EC 8B 55 F4 E8 ?? ?? ?? ?? 8D 85 E8 FB FF FF 8B 55 EC 8A 92 ?? ?? ?? ?? E8 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using pgpconvert to convert base256 data to base64 as part of a data encoding task.
Filter/Exclusion: process.name != "pgpconvert" or process.args contains "encoding" or "data conversion"
Scenario: A scheduled job runs nightly to process encrypted logs using PGPConvertBase256to64 for log normalization.
Filter/Exclusion: process.parent_process_name contains "task scheduler" or "cron" or process.args contains "log processing"
Scenario: A developer is using pgpconvert in a script to encode binary data for API transmission.
Filter/Exclusion: process.user contains "dev" or "developer" or process.args contains "api" or "binary encoding"
Scenario: A backup tool like Veeam or Commvault uses internal base256 to base64 conversion during data transfer.
Filter/Exclusion: process.name contains "veeam" or "commvault" or process.args contains "backup" or "data transfer"
Scenario: An admin is manually converting PGP encrypted files using PGPConvertBase256to64 for forensic analysis.
Filter/Exclusion: process.user contains "admin" or "root" or process.args contains "forensic" or "analysis"