Base64 Encoding
If you’re looking to detect malicious use of Base64 encoding, consider monitoring for the execution of processes like powershell.exe or cmd.exe along with command lines containing parameters like ToBase64String and FromBase64String. The following simple pseudo-analytic might help you find malicious obfuscation. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Base64 Encoding
2id: 027b8851-d448-4a3e-8f2e-698433ba81e3
3status: experimental
4description: |
5 If you’re looking to detect malicious use of Base64 encoding, consider monitoring for the
6 execution of processes like powershell.exe or cmd.exe along with command lines containing
7 parameters like ToBase64String and FromBase64String. The following simple pseudo-analytic
8 might help you find malicious obfuscation. Part of the RedCanary 2024 Threat Detection
9 Report.
10references:
11 - https://redcanary.com/threat-detection-report/techniques/obfuscated-files-information/
12author: RedCanary, Sigma formatting by Micah Babinski
13date: 2024/03/21
14tags:
15 - attack.defense_evasion
16 - attack.t1027
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith:
23 - '\cmd.exe'
24 - '\powershell.exe'
25 CommandLine|contains: 'base64'
26 condition: selection
27falsepositives:
28 - Unknown
29level: low```
References
-
Obfuscated files or information empower adversaries to perform malicious actions that would be trivial to prevent, detect, or mitigate.
Read More
Related rules
- Gamarue Rundll32.exe Long Commandlines
- Obfuscated Commands - Command Shell
- Obfuscation and Escape Characters - Powershell
- PowerShell -encodedcommand Switch
- PowerShell Base64 Encoding