decode data using Base64 via WinAPI

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: decode data using Base64 via WinAPI
    namespace: data-manipulation/encoding/base64
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: basic block
      dynamic: call
    att&ck:
      - Defense Evasion::Deobfuscate/Decode Files or Information [T1140]
    examples:
      - mimikatz.exe_:0x40D742
  features:
    - and:
      - or:
        # number: 0x0 = CRYPT_STRING_BASE64HEADER (with certificate beginning and ending headers), FPs too likely for 0
        - number: 0x1 = dwFlags=CRYPT_STRING_BASE64  # without headers
        - number: 0x6 = dwFlags=CRYPT_STRING_BASE64_ANY  # tries: CRYPT_STRING_BASE64HEADER, CRYPT_STRING_BASE64
        - number: 0x7 = dwFlags=CRYPT_STRING_ANY  # tries: CRYPT_STRING_BASE64HEADER, CRYPT_STRING_BASE64, CRYPT_STRING_BINARY
      - api: CryptStringToBinary

last edited: 2023-11-24 10:35:00