LinkedIn
Twitter
Today we are going to introduce a string function that takes base64 data and decodes it in search and YARA-L rules. While we don’t often see base64 data sitting all by itself within a UDM field, this command is often applied to placeholder variables or nested with other regex functions. In our last video, we discussed the re.capture function and we are going to build on this concept and then use the base64_decode function to uncover what lies beneath the encoding!
Base64 can often be used to obfuscate code so having a function built into Google SecOps to work with this data can streamline detection and hunting. The function is straightforward, just pass the encoded string to the function so the question becomes do we read it in directly from a regex function that captured the base64 string or read a placeholder variable where the base64 is already being held.
Follow along in the video below to see how strings.base64_decode can be used in a YARA-L rule.
strings.base64_decode is easy to use and provides analysts with a method to gain visibility into base64 encoded data without having to copy and paste out to cyberchef or another system. However because base64 is not often the only value within a field, a combination of regex functions and placeholder variables are often used to work with this data. As you saw from our demo the formatting of the decoded base64 may make it a bit tricky to work with if we are performing additional analysis on it.
With that in mind, next time, we are going to look at one additional regex function, re.replace, and we’ll show you how we can tidy up our decoded base64 to work with lists and other logic.
Check out these additional resources with more information and learning opportunities: