Adversaries may encode malicious payloads using base64 in CLI commands to evade simple string-based detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential execution of hidden malicious code before it is decoded and executed.
Detection Rule
title: Linux Base64 Encoded Shebang In CLI
id: fe2f9663-41cb-47e2-b954-8a228f3b9dff
status: test
description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
references:
- https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
- https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-evasion
- attack.t1140
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- "IyEvYmluL2Jhc2" # Note: #!/bin/bash"
- "IyEvYmluL2Rhc2" # Note: #!/bin/dash"
- "IyEvYmluL3pza" # Note: #!/bin/zsh"
- "IyEvYmluL2Zpc2" # Note: #!/bin/fish
- "IyEvYmluL3No" # Note: # !/bin/sh"
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
imProcessCreate
| where TargetProcessCommandLine contains "IyEvYmluL2Jhc2" or TargetProcessCommandLine contains "IyEvYmluL2Rhc2" or TargetProcessCommandLine contains "IyEvYmluL3pza" or TargetProcessCommandLine contains "IyEvYmluL2Zpc2" or TargetProcessCommandLine contains "IyEvYmluL3No"Scenario: Base64 encoding of a legitimate script for transport
Description: An admin is base64 encoding a script to send it via email or a file transfer tool, then decoding it on the target system.
Filter/Exclusion: Exclude processes where the command includes base64 -d or base64 --decode and the script is known to be part of a legitimate admin task (e.g., scp, rsync, or curl).
Scenario: Scheduled job using base64 for obfuscation
Description: A scheduled job (e.g., via cron or systemd) uses base64 encoding to obfuscate a command for security or audit purposes.
Filter/Exclusion: Exclude commands that are part of a known scheduled job (e.g., /etc/cron.d/ or /etc/cron.hourly/) and include base64 followed by a known legitimate command.
Scenario: Debugging or logging with base64 encoding
Description: A developer is using base64 encoding to log binary data (e.g., cryptographic keys or binary files) in a log file for debugging.
Filter/Exclusion: Exclude processes where the command includes base64 and the output is directed to a log file (e.g., >> /var/log/debug.log) or the command is part of a known debugging tool (e.g., gdb, strace).
Scenario: Base64 encoding of a shell script for deployment
Description: A DevOps engineer is base64 encoding a shell script to embed it in a configuration file or a CI/CD pipeline for deployment.
Filter/Exclusion: Exclude commands that are part of a CI/CD pipeline (e.g., git, docker, `