Note that this command is packed with some very common command line arguments that are very useful to know: Instantly, we can see it begins with PowerShell executing a base64 encoded string. This means we need to review the threat details and attempt to figure out if this alert is legitimate or not.įirst we can review the Attack Story information in the Raw Data section of the SentinelOne console:
Given that this is a Fileless attack there is no hash reputation available via third party validation tools. In this case, we have an alert regarding a PowerShell command. First, we take a look at an attack sequence the first place I always look (if the process is there) will be PowerShell: So let’s see how this could help us to understand an actual attack on the network. ::ASCII.GetString(::FromBase64String($coded_string)) | Out-File -Encoding "ASCII" base64_out.txt ::ASCII.GetString(::FromBase64String($coded_string)) $coded_string = "SG9va2VkIG9uIHBob25pY3Mgd29ya2VkIGZvciBtZQo="
#BASE64 DECODE STRING CODE#
> ::UTF8.GetString(::FromBase64String('SG9va2VkIG9uIHBob25pY3Mgd29ya2VkIGZvciBtZQo='))Īs we did with Python above, we can replace the one-liner CLI with a PowerShell script if we wish: # Replace the quoted text with the code you wish to decrypt. We can swap out ASCII for UTF-8 if we prefer: > ::ASCII.GetString(::FromBase64String('SG9va2VkIG9uIHBob25pY3Mgd29ya2VkIGZvciBtZQo=')) # Print the decryption output to the screen.
# Replace the quoted text with the code you wish to decrypt.Ĭoded_string = 'SG9va2VkIG9uIHBob25pY3Mgd29ya2VkIGZvciBtZQo='Ĭode_dump = base64.b64decode(coded_string) We can achieve the same thing with a Python script like this: #!/usr/bin/env python $: echo "SG9va2VkIG9uIHBob25pY3Mgd29ya2VkIGZvciBtZQo=" | base64 -decode On macOS/Linux with Bash (CLI) it’s the same process, but this time we specify the -decode option: SG9va2VkIG9uIHBob25pY3Mgd29ya2VkIGZvciBtZQo= Decoding Strings > ::ToBase64String(::UTF8.GetBytes("Hooked on phonics worked for me"))
On Windows, we can encode a string with PowerShell (CLI): $: echo "Hooked on phonics worked for me" | base64 On macOS/Linux with Bash (CLI) we can simply echo the target string and pipe it to the base64 utility: Let’s take a look at not only decrypting but also encrypting because, who knows? Maybe one day you will need or want to know both sides of the process. If the string contains special characters like “+” or “/” then there is a good chance the string will decode into something like a compressed file or image.Ī good rule of thumb for this is to decrypt the string on the command line, and if you cannot read the output then try writing it to a file and use something like Detect It Easy (D.I.E.) to determine how you can view the file contents.ĭecryption is extremely easy and can be done on any OS.If the string does not contain any special characters other than “=” then there is a good chance that it will be plain text when decrypted.There are a few things that I like to look for with base64 strings: The wiki article here goes into more details about the background of the encoding’s implementation and history, but here we’ll focus on the practical aspects within a security context. These strings must also be divisible by 4 to be well-formed. There are 64 characters in the Base64 “alphabet”, and an encoded string will contain a mixture of uppercase and lowercase letters, numbers, and sometimes an “=” or two (never more than two) at the end. VGhpcyBpcyB3aGF0IGJhc2U2NCBsb29rcyBsaWtlIGluIHRoZSB3aWxkLgo= These are the methods that I use to both encode and decode in my daily work.Ī base64 string is pretty easy to identify: In this article, I will share both a simple and a slightly more advanced understanding of Base64 encoding. The most common methods are not terribly hard to learn and will help you to make better decisions on the legitimacy of a command or call seen on your network. Understanding the encoding methods threat actors use can help not only in everyday operations but importantly in cybersecurity and network security contexts. They are also widely used by malware authors to disguise their attacks and to implement anti-analysis techniques designed to frustrate malware hunters and reverse engineers. Encoded strings are everywhere and have many legitimate uses across the technology sector.
0 kommentar(er)
