-
Notifications
You must be signed in to change notification settings - Fork 164
/
Copy pathencode-data-using-base64-via-winapi.yml
29 lines (29 loc) · 1.5 KB
/
encode-data-using-base64-via-winapi.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
rule:
meta:
name: encode data using Base64 via WinAPI
namespace: data-manipulation/encoding/base64
authors:
scopes:
static: basic block
dynamic: call
att&ck:
- Defense Evasion::Obfuscated Files or Information [T1027]
examples:
- mimikatz.exe_:0x40622D
features:
- and:
- or:
# number: 0x0 = CRYPT_STRING_BASE64HEADER (with certificate beginning and ending headers), FPs too likely for 0
- number: 0x1 = dwFlags=CRYPT_STRING_BASE64 # without headers
- number: 0x3 = dwFlags=CRYPT_STRING_BASE64REQUESTHEADER # with request beginning and ending headers
- number: 0x9 = dwFlags=CRYPT_STRING_BASE64X509CRLHEADER # with X.509 CRL beginning and ending headers
# CRYPT_STRING_NOCRLF = 0x40000000, do not append any new line characters to the encoded string
- number: 0x40000001 = dwFlags=CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF
- number: 0x40000003 = dwFlags=CRYPT_STRING_BASE64REQUESTHEADER | CRYPT_STRING_NOCRLF
- number: 0x40000009 = dwFlags=CRYPT_STRING_BASE64X509CRLHEADER | CRYPT_STRING_NOCRLF
# CRYPT_STRING_NOCR = 0x80000000, only use the line feed (LF) character
- number: 0x80000001 = dwFlags=CRYPT_STRING_BASE64 | CRYPT_STRING_NOCR
- number: 0x80000003 = dwFlags=CRYPT_STRING_BASE64REQUESTHEADER | CRYPT_STRING_NOCR
- number: 0x80000009 = dwFlags=CRYPT_STRING_BASE64X509CRLHEADER | CRYPT_STRING_NOCR
- api: CryptBinaryToString