
Base64
Base64 is used to represent binary data in an ASCII string. This is a simple encoding and commonly found into malware.
Code Snippets
package main
import (
"encoding/base64"
"fmt"
"os"
)
func main() {
arg1 := os.Args[1]
encoded := base64.StdEncoding.EncodeToString([]byte(arg1))
fmt.Println(encoded)
decoded, err := base64.StdEncoding.DecodeString(encoded)
if err != nil {
panic("error")
}
fmt.Println(string(decoded))
}
Detection Rules
title: Powershell download file from base64 url
status: experimental
description: Powershell download file from base64 url
author: Joe Security
date: 2020-04-13
id: 200072
threatname:
behaviorgroup: 1
classification: 8
mitreattack:
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*.downloadfile([system.text.encoding]::ascii.getstring([system.convert]::frombase64string(*'
condition: selection
level: critical