From 87cbbee1f9d333268570b9d3c407d1005da3b9f1 Mon Sep 17 00:00:00 2001 From: Moritz Date: Fri, 17 Nov 2023 10:53:50 +0100 Subject: [PATCH 1/2] Update encode-data-using-base64-via-winapi.yml --- .../base64/encode-data-using-base64-via-winapi.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml b/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml index e35c3832c..c987cfd6f 100644 --- a/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml +++ b/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml @@ -11,5 +11,17 @@ rule: - mimikatz.exe_:0x40622D features: - and: - - number: 1 = dwFlags=CRYPT_STRING_BASE64 + - or: + # number: 0x0 = CRYPT_STRING_BASE64HEADER (with certificate beginning and ending headers), FPs too likely for 0 + - number: 0x1 = dwFlags=CRYPT_STRING_BASE64 # without headers + - number: 0x3 = dwFlags=CRYPT_STRING_BASE64REQUESTHEADER # with request beginning and ending headers + - number: 0x9 = dwFlags=CRYPT_STRING_BASE64X509CRLHEADER # with X.509 CRL beginning and ending headers + # CRYPT_STRING_NOCRLF = 0x40000000, do not append any new line characters to the encoded string + - number: 0x40000001 = dwFlags=CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF + - number: 0x40000003 = dwFlags=CRYPT_STRING_BASE64REQUESTHEADER | CRYPT_STRING_NOCRLF + - number: 0x40000009 = dwFlags=CRYPT_STRING_BASE64X509CRLHEADER | CRYPT_STRING_NOCRLF + # CRYPT_STRING_NOCR = 0x80000000, only use the line feed (LF) character + - number: 0x80000001 = dwFlags=CRYPT_STRING_BASE64 | CRYPT_STRING_NOCR + - number: 0x80000003 = dwFlags=CRYPT_STRING_BASE64REQUESTHEADER | CRYPT_STRING_NOCR + - number: 0x80000009 = dwFlags=CRYPT_STRING_BASE64X509CRLHEADER | CRYPT_STRING_NOCR - api: CryptBinaryToString From 8aa6c0ea170d40f0716e1085080adda9d76f89e5 Mon Sep 17 00:00:00 2001 From: Moritz Date: Fri, 17 Nov 2023 10:55:03 +0100 Subject: [PATCH 2/2] Update decode-data-using-base64-via-winapi.yml --- .../base64/decode-data-using-base64-via-winapi.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml index da46668e6..d5f401434 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml @@ -12,7 +12,8 @@ rule: features: - and: - or: - - number: 0x1 = dwFlags=CRYPT_STRING_BASE64 - - number: 0x6 = dwFlags=CRYPT_STRING_BASE64_ANY - - number: 0x7 = dwFlags=CRYPT_STRING_ANY + # number: 0x0 = CRYPT_STRING_BASE64HEADER (with certificate beginning and ending headers), FPs too likely for 0 + - number: 0x1 = dwFlags=CRYPT_STRING_BASE64 # without headers + - number: 0x6 = dwFlags=CRYPT_STRING_BASE64_ANY # tries: CRYPT_STRING_BASE64HEADER, CRYPT_STRING_BASE64 + - number: 0x7 = dwFlags=CRYPT_STRING_ANY # tries: CRYPT_STRING_BASE64HEADER, CRYPT_STRING_BASE64, CRYPT_STRING_BINARY - api: CryptStringToBinary