MITRE ATT4CK - T1132 - Data Encoding
Base64 Code | Decoded (. = 0x00) | Description | MITRE ID |
---|---|---|---|
JAB | $. | Variable declaration (UTF-16) | T1086 |
TVq | MZ | MZ header | T1001 |
UEs | PK | ZIP, Office documents | T1001 |
SUVY | IEX | PowerShell Invoke Expression | T1086 |
SQBFAF | I.E. | PowerShell Invoke Expression (UTF-16) | T1086 |
PAA | <. | Often used in Emotet command lines (UTF-16) | T1086 |
cwBhA | s.a. | Often used in malicious droppers (UTF-16) 'sal' instead of 'var' | T1086 |
aWV4 | iex | PowerShell Invoke Expression | T1086 |
aQBlA | i.e. | PowerShell Invoke Expression (UTF-16) | T1086 |
R2V0 | Get | Often used to obfuscate imports like GetCurrentThreadId | T1001 |
dmFy | var | Variable declaration | T1064 |
dgBhA | v.a. | Variable declaration (UTF-16) | T1064 |
dXNpbm | usin | Often found in compile after delivery attacks | T1500 |
Tweet and Thread https://twitter.com/cyb3rops/status/1187341941794660354