When there's a large Base64 blob inserted into metadata fields it often indicates shellcode to later be decoded

Hunt Hypothesis

Large Base64 blobs in metadata fields may indicate embedded shellcode that adversaries use to evade detection and execute malicious payloads. Proactively hunting for this behavior in Azure Sentinel helps identify potential stealthy malware delivery mechanisms before they are executed.

YARA Rule

rule shellcode_blob_metadata : PDF raw
{
        meta:
                author = "Glenn Edwards (@hiddenillusion)"
                version = "0.1"
                description = "When there's a large Base64 blob inserted into metadata fields it often indicates shellcode to later be decoded"
                weight = 4
        strings:
                $magic = { 25 50 44 46 }

                $reg_keyword = /\/Keywords.?\(([a-zA-Z0-9]{200,})/ //~6k was observed in BHEHv2 PDF exploits holding the shellcode
                $reg_author = /\/Author.?\(([a-zA-Z0-9]{200,})/
                $reg_title = /\/Title.?\(([a-zA-Z0-9]{200,})/
                $reg_producer = /\/Producer.?\(([a-zA-Z0-9]{200,})/
                $reg_creator = /\/Creator.?\(([a-zA-Z0-9]{300,})/
                $reg_create = /\/CreationDate.?\(([a-zA-Z0-9]{200,})/

        condition:
                $magic in (0..1024) and 1 of ($reg*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Encrypted Backup File with Base64 Metadata
  Description: A backup file (e.g., from Veeam or Acronis) contains Base64-encoded metadata due to encryption or compression.
  Filter/Exclusion: Use file_name filter to exclude known backup tools (e.g., veeam, acronis) or apply a process_name filter to exclude backup services like veeambackup.exe.

• Scenario: Scheduled Job Exporting Data to CSV with Base64 Encoding
  Description: A scheduled job (e.g., using PowerShell or Python scripts) exports data to CSV and uses Base64 encoding for special characters.
  Filter/Exclusion: Apply a process_name filter to exclude known scripting tools (e.g., powershell.exe, python.exe) or use a file_extension filter to exclude .csv files.

• Scenario: Log File with Base64 Encoded Entries for Debugging
  Description: A system log file (e.g., from Splunk or ELK stack) includes Base64-encoded entries for debugging purposes.
  Filter/Exclusion: Use a file_path filter to exclude log directories (e.g., C:\ProgramData\splunk\logs\) or apply a process_name filter to exclude log management tools like splunkforwarder.exe.

• Scenario: User-Uploaded File with Base64 Metadata for Image or PDF Conversion
  Description: A user uploads a file (e.g., an image or PDF) that contains Base64-encoded metadata during conversion via a tool like ImageMagick or Ghostscript.
  Filter/Exclusion: Use a file_mime_type filter to exclude image or PDF types, or apply a process_name filter to exclude conversion tools like convert.exe