Adversaries may use Base64-encoded filenames to conceal malicious bash commands, leveraging shell interpretation to execute payloads without direct script execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities or persistent access mechanisms.
Detection Rule
title: Suspicious Filename with Embedded Base64 Commands
id: 179b3686-6271-4d87-807d-17d843a8af73
status: experimental
description: |
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
references:
- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
author: '@kostastsale'
date: 2025-11-22
tags:
- attack.execution
- attack.t1059.004
- attack.defense-evasion
- attack.t1027
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains:
- '{echo'
- '{base64,-d}'
condition: selection
falsepositives:
- Legitimate files with similar naming patterns (very unlikely).
level: high
imFileEvent
| where TargetFileName contains "{echo" or TargetFileName contains "{base64,-d}"Scenario: Scheduled Backup Job Using Base64 Encoding
Description: A backup script uses Base64 encoding to obfuscate sensitive credentials or configuration data in the filename.
Filter/Exclusion: process.name contains "backup.sh" OR file.path contains "/backup/scripts/"
Scenario: Admin Task for Log Rotation with Base64 Parameters
Description: An admin script for log rotation includes Base64-encoded parameters for compression or encryption settings.
Filter/Exclusion: process.name contains "logrotate" OR file.path contains "/etc/logrotate.d/"
Scenario: CI/CD Pipeline Artifact Naming with Base64 Encoding
Description: A CI/CD pipeline uses Base64-encoded names for artifacts to avoid special characters in artifact storage systems.
Filter/Exclusion: process.name contains "gitlab-ci" OR file.path contains "/artifacts/"
Scenario: Systemd Service File with Base64 Encoded Environment Variables
Description: A systemd service file encodes environment variables in Base64 to avoid shell injection issues or special character restrictions.
Filter/Exclusion: process.name contains "systemd" OR file.path contains "/etc/systemd/system/"
Scenario: User-Generated Filename for File Upload with Base64 Encoding
Description: A user uploads a file with a Base64-encoded name as part of a file naming convention for data obfuscation.
Filter/Exclusion: process.name contains "nginx" OR file.path contains "/var/www/uploads/"