Potential Base64 Decoded From Images
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
Sigma rule (View on GitHub)
1title: Potential Base64 Decoded From Images
2id: 09a910bf-f71f-4737-9c40-88880ba5913d
3status: experimental
4description: |
5 Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
6references:
7 - https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
8 - https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
9author: Joseliyo Sanchez, @Joseliyo_Jstnk
10date: 2023-12-20
11tags:
12 - attack.defense-evasion
13 - attack.t1140
14logsource:
15 product: macos
16 category: process_creation
17detection:
18 # Example: /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
19 # VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
20 selection_image:
21 Image|endswith: '/bash'
22 selection_view:
23 CommandLine|contains|all:
24 - 'tail'
25 - '-c'
26 selection_b64:
27 CommandLine|contains|all:
28 - 'base64'
29 - '-d' # Also covers "--decode"
30 - '>'
31 selection_files:
32 CommandLine|contains:
33 - '.avif'
34 - '.gif'
35 - '.jfif'
36 - '.jpeg'
37 - '.jpg'
38 - '.pjp'
39 - '.pjpeg'
40 - '.png'
41 - '.svg'
42 - '.webp'
43 condition: all of selection_*
44falsepositives:
45 - Unknown
46level: high
References
Related rules
- Base64 Encoded PowerShell Command Detected
- DNS-over-HTTPS Enabled by Registry
- Linux Base64 Encoded Pipe to Shell
- Linux Base64 Encoded Shebang In CLI
- Linux Shell Pipe to Shell