Linux Base64 Encoded Pipe to Shell

Hunt Hypothesis

Adversaries may use base64 encoded pipes to shell to execute arbitrary commands stealthily, bypassing basic command-line inspection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command injection or persistence techniques early.

Detection Rule

Sigma (Original)

title: Linux Base64 Encoded Pipe to Shell
id: ba592c6d-6888-43c3-b8c6-689b8fe47337
status: test
description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
references:
    - https://github.com/arget13/DDexec
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: pH-T (Nextron Systems)
date: 2022-07-26
modified: 2023-06-16
tags:
    - attack.defense-evasion
    - attack.t1140
logsource:
    product: linux
    category: process_creation
detection:
    selection_base64:
        CommandLine|contains: 'base64 '
    selection_exec:
        - CommandLine|contains:
              - '| bash '
              - '| sh '
              - '|bash '
              - '|sh '
        - CommandLine|endswith:
              - ' |sh'
              - '| bash'
              - '| sh'
              - '|bash'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activities
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains "base64 " and ((TargetProcessCommandLine contains "| bash " or TargetProcessCommandLine contains "| sh " or TargetProcessCommandLine contains "|bash " or TargetProcessCommandLine contains "|sh ") or (TargetProcessCommandLine endswith " |sh" or TargetProcessCommandLine endswith "| bash" or TargetProcessCommandLine endswith "| sh" or TargetProcessCommandLine endswith "|bash"))

False Positive Guidance

• Scenario: Scheduled Cron Job with Base64 Encoded Payload
  Description: A legitimate cron job is configured to decode and execute a base64 string as part of a scripted maintenance task.
  Filter/Exclusion: Exclude processes where the command line includes cron or crontab in the parent process or command line.
  Example: cron -f /path/to/script.sh where script.sh contains base64 -d | bash

• Scenario: System Update with Base64 Encoded Script
  Description: A system update or patching tool uses a base64 encoded script as part of its deployment process.
  Filter/Exclusion: Exclude processes where the command line includes yum, apt, or dnf (or equivalent package managers).
  Example: yum update with a base64 encoded script in a temporary directory used for patching.

• Scenario: Admin Task Using Base64 for Data Encoding
  Description: An administrator uses base64 encoding to pass data (e.g., credentials, configuration) to a script or tool for processing.
  Filter/Exclusion: Exclude processes where the command line includes base64 or echo in combination with | and bash if the script is known to be trusted.
  Example: echo "SGVsbG8gV29ybGQ=" | base64 -d | /opt/trusted_script.sh

• Scenario: Log Rotation or Data Export with Base64 Encoding
  Description: A log rotation tool or data export script uses base64 encoding to handle special characters or binary data in log files.
  Filter/Exclusion: Exclude processes where the command line includes logrotate, rsync, or tar in the parent process

MITRE ATT&CK Context

• Tactic: Defense Evasion
• Technique: T1140