-
Notifications
You must be signed in to change notification settings - Fork 164
/
decode-data-using-base64-via-dword-translation-table.yml
26 lines (26 loc) · 1.52 KB
/
decode-data-using-base64-via-dword-translation-table.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
rule:
meta:
name: decode data using Base64 via dword translation table
namespace: data-manipulation/encoding/base64
author: [email protected]
scope: function
att&ck:
- Defense Evasion::Obfuscated Files or Information [T1027]
mbc:
- Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02]
- Data::Encode Data::Base64 [C0026.001]
examples:
- 9efa86b43b4367bcdc1591aee59bda25:0x10001000
features:
- and:
- mnemonic: shl
- or:
- mnemonic: sar
- mnemonic: shr
- match: contain loop
- number: 2
- number: 3
- number: 4
- number: 6
- number: 0xF
- bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF = hardcoded base64 translation table (first 64 of 256 dwords)