data-manipulation/encoding/base64
rule:
meta:
name: encode data using Base64
namespace: data-manipulation/encoding/base64
authors:
- moritz.raabe@mandiant.com
- anushka.virgaonkar@mandiant.com
- michael.hunhoff@mandiant.com
scopes:
static: function
dynamic: unsupported
att&ck:
- Defense Evasion::Obfuscated Files or Information [T1027]
mbc:
- Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02]
- Data::Encode Data::Base64 [C0026.001]
examples:
- BFB9B5391A13D0AFD787E87AB90F14F5:0x1314889C
- 074072B261FC27B65C72671F13510C05:0x100049B2
- 5DB2D2BE20D59AA0BE6709A6850F1775:0x18001CC30
- 08AC667C65D36D6542917655571E61C8:0x406EAA
features:
- or:
- and:
- mnemonic: shl
- mnemonic: shr
- number: 0x3F = modulo 64
- or:
- number: 0x3D = '='
- number: 0x3D3D = '=='
- match: contain loop
- optional:
- number: 2
- number: 3
- number: 4
- number: 6
- number: 0xF
- string: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
- api: System.Convert::ToBase64String
- api: System.Convert::ToBase64CharArray
- api: System.Convert::TryToBase64Chars
last edited: 2023-11-24 10:35:00