Learning Aid - Top Base64 Encodings Table
MITRE ATT4CK - T1132 - Data Encoding
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
$. |
Variable declaration (UTF-16) | |
TVq |
MZ |
MZ header | |
UEs |
PK |
ZIP, Office documents | |
SUVY |
IEX |
PowerShell Invoke Expression | |
SQBFAF |
I.E. |
PowerShell Invoke Expression (UTF-16) | |
SQBuAH |
I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
|
PAA |
<. |
Often used by Emotet (UTF-16) | |
cwBhA |
s.a. |
Often used in malicious droppers (UTF-16) 'sal' instead of 'var' | |
aWV4 |
iex |
PowerShell Invoke Expression | |
aQBlA |
i.e. |
PowerShell Invoke Expression (UTF-16) | |
R2V0 |
Get |
Often used to obfuscate imports like GetCurrentThreadId | |
dmFy |
var |
Variable declaration | |
dgBhA |
debugger + high availability | v.a. |
Variable declaration (UTF-16) |
dXNpbm |
Dixon problem | usin |
Often found in compile after delivery attacks |
H4sIA |
gzip magic bytes (0x1f8b), e.g. echo 'test' | gzip -cf | base64 |
||
Y21k |
cmd |
As used in cmd.exe /c wscript.exe or the like |
|
Qzpc |
C:\ |
Root of Windows partition (upper case) | |
Yzpc |
c:\ |
Root of Windows partition (lower case) | |
ey |
{ |
Indicates JSON data | |
IAB |
🥱 I am bored | s |
wide lower case s, often something like sEt-iTem |
* the . stands for 0x00
Cyber Chef Recipe
References
Tweet
Tweet and Thread https://twitter.com/cyb3rops/status/1187341941794660354
JAB
PAA
Emotet process command line https://app.any.run/tasks/dfba6d53-7a93-4d8b-86ba-4e737ad06b06/
cwBha
Explanation https://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/