Adversaries may encode malicious URLs using base64 to evade detection and exfiltrate data or execute payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control channels or data exfiltration attempts.
IOC Summary
Threat: base64 Total URLs: 6 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://gitlab.com/elpolacodelsuroficial-group/elpolacodelsuroficial-project/-/raw/main/tumfuf.txt?ref_type=heads | online | malware_download | 2026-05-25 |
hxxps://raw.githubusercontent.com/Respalditoxd122/cmd/refs/heads/main/CRYP2_cvtres.txt | online | malware_download | 2026-05-25 |
hxxps://raw.githubusercontent.com/Respalditoxd122/cmd/refs/heads/main/tumfuf.txt | online | malware_download | 2026-05-25 |
hxxps://gitlab.com/elpolacodelsuroficial-group/elpolacodelsuroficial-project/-/raw/main/class.txt?ref_type=heads | online | malware_download | 2026-05-25 |
hxxps://gitlab.com/elpolacodelsuroficial-group/elpolacodelsuroficial-project/-/raw/main/TARRA_CL3.txt?ref_type=heads | online | malware_download | 2026-05-25 |
hxxps://gitlab.com/elpolacodelsuroficial-group/elpolacodelsuroficial-project/-/raw/main/31agosto.txt?ref_type=heads | online | malware_download | 2026-05-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: base64
let malicious_domains = dynamic(["gitlab.com", "raw.githubusercontent.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["gitlab.com", "raw.githubusercontent.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job for Data Backup Using Base64 Encoding
Description: A backup tool (e.g., Veeam, Acronis) may encode URLs in base64 as part of its configuration or logging process.
Filter/Exclusion: Exclude URLs containing known backup toolnames or processes (e.g., veeam, acronis, backup), or filter by process names associated with backup operations.
Scenario: Admin Task for URL Encoding in Automation Scripts
Description: System administrators may manually encode URLs in base64 for API calls or script automation (e.g., using base64 CLI tool or Python’s base64 module).
Filter/Exclusion: Exclude processes initiated by admin accounts or filter by user IDs associated with administrative tasks.
Scenario: Internal URL Shortening Service Using Base64
Description: An internal URL shortening service (e.g., Bitly, custom in-house solution) may encode URLs in base64 for storage or obfuscation.
Filter/Exclusion: Exclude URLs that match known internal shortening service domains or filter by IP ranges used by the internal service.
Scenario: Log Aggregation Tool with Base64 Encoding
Description: Log aggregation tools (e.g., ELK Stack, Splunk) may encode URLs in base64 during log processing or data normalization.
Filter/Exclusion: Exclude logs from known log aggregation tools or filter by process names like logstash, splunkd, or fluentd.
Scenario: Base64 Encoding in API Testing Tools
Description: Developers may use API testing tools (e.g., Postman, Insomnia) to encode URLs in base64 for testing purposes.
Filter/Exclusion: Exclude requests originating from development environments or filter by