Potential Base64 Decoded From Images

 1title: Potential Base64 Decoded From Images
 2id: 09a910bf-f71f-4737-9c40-88880ba5913d
 3status: experimental
 4description: |
 5        Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
 6references:
 7    - https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
 8    - https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
 9author: Joseliyo Sanchez, @Joseliyo_Jstnk
10date: 2023/12/20
11tags:
12    - attack.defense_evasion
13    - attack.t1140
14logsource:
15    product: macos
16    category: process_creation
17detection:
18    # Example:  /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
19    # VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
20    selection_image:
21        Image|endswith: '/bash'
22    selection_view:
23        CommandLine|contains|all:
24            - 'tail'
25            - '-c'
26    selection_b64:
27        CommandLine|contains|all:
28            - 'base64'
29            - '-d' # Also covers "--decode"
30            - '>'
31    selection_files:
32        CommandLine|contains:
33            - '.avif'
34            - '.gif'
35            - '.jfif'
36            - '.jpeg'
37            - '.jpg'
38            - '.pjp'
39            - '.pjpeg'
40            - '.png'
41            - '.svg'
42            - '.webp'
43    condition: all of selection_*
44falsepositives:
45    - Unknown
46level: high