Adversaries may execute Base64-decoded payloads to obfuscate malicious binaries and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware execution attempts masked by encoding techniques.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(14d)
| where ProcessCommandLine contains ".decode('base64')"
or ProcessCommandLine contains ".b64decode("
or ProcessCommandLine contains "base64 --decode"
or ProcessCommandLine contains ".decode64("
| project Timestamp , DeviceName , FileName , FolderPath , ProcessCommandLine , InitiatingProcessCommandLine
| top 100 by Timestamp
id: 0c068643-049c-4c10-8771-ef3865627aa2
name: ExecuteBase64DecodedPayload
description: |
Process executed from binary hidden in Base64 encoded file. Encoding malicious software is a.
Technique to obfuscate files from detection.
The first and second ProcessCommandLine component is looking for Python decoding base64.
The third ProcesssCommandLine component is looking for the Bash/sh commandline base64 decoding tool.
The fourth one is looking for Ruby decoding base64.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(14d)
| where ProcessCommandLine contains ".decode('base64')"
or ProcessCommandLine contains ".b64decode("
or ProcessCommandLine contains "base64 --decode"
or ProcessCommandLine contains ".decode64("
| project Timestamp , DeviceName , FileName , FolderPath , ProcessCommandLine , InitiatingProcessCommandLine
| top 100 by Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Base64 encoding of a legitimate script for transfer
Description: A system administrator encodes a PowerShell script using Base64 to transfer it securely over a network.
Filter/Exclusion: Exclude processes where the decoded payload matches known legitimate scripts (e.g., powershell.exe with -EncodedCommand and decoded content matching a known admin tool like Invoke-Command or Get-ChildItem).
Scenario: Scheduled job using Base64 encoded command
Description: A scheduled task runs a Base64 encoded command to perform routine system maintenance, such as log rotation or backup.
Filter/Exclusion: Exclude processes originating from the Task Scheduler (schtasks.exe or Task Scheduler service) and where the decoded command matches known maintenance scripts.
Scenario: Base64 encoded payload in a configuration file
Description: A configuration file contains Base64 encoded data (e.g., credentials or API keys) that is decoded and used by a legitimate application.
Filter/Exclusion: Exclude processes that decode Base64 content from known configuration files (e.g., appsettings.json, config.xml) and are associated with trusted applications (e.g., nginx, IIS, SQL Server).
Scenario: Admin task using Base64 encoded command for remote execution
Description: An admin uses a Base64 encoded command to execute a remote PowerShell script via Invoke-Command for patching or configuration.
Filter/Exclusion: Exclude processes where the decoded command is associated with known administrative tasks (e.g., PSRemoting, Invoke-Command, Test-Connection) and the source is a trusted admin workstation.
Scenario: Base64 encoded data in a log file for analysis
Description: A log file contains Base6