Skip to content

Instantly share code, notes, and snippets.

@duaneking

duaneking/Base64_CheatSheet.md

Forked from Neo23x0/Base64_CheatSheet.md
Created March 8, 2022 20:32
Show Gist options
  • Save duaneking/3dd40d0921cc9cbe5a0f2057ca86b78b to your computer and use it in GitHub Desktop.
Save duaneking/3dd40d0921cc9cbe5a0f2057ca86b78b to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @Neo23x0 Neo23x0 revised this gist Feb 16, 2022. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -24,7 +24,7 @@
    | `UEs` | 🏬 Upper East Side | `PK` | ZIP, Office documents |
    | `ey` | 🗣 Hey | `{ ` | Indicates JSON data |

    \* the `.` stands for `0x00`
    \* the `.` stands for `0x00` found in UTF-16 encoded text

    # Cyber Chef Recipe

  2. @Neo23x0 Neo23x0 revised this gist Oct 15, 2020. 1 changed file with 0 additions and 2 deletions.
    2 changes: 0 additions & 2 deletions Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,7 +1,5 @@
    # Learning Aid - Top Base64 Encodings Table

    MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encoding

    | Base64 Code | Mnemonic Aid | Decoded* | Description |
    |-------------|--------------|----------|------------------------------------------|
    | `JAB` | 🗣 Jabber | `$.` | Variable declaration (UTF-16) |
  3. @Neo23x0 Neo23x0 revised this gist Jul 8, 2020. 1 changed file with 3 additions and 3 deletions.
    6 changes: 3 additions & 3 deletions Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -6,7 +6,6 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    |-------------|--------------|----------|------------------------------------------|
    | `JAB` | 🗣 Jabber | `$.` | Variable declaration (UTF-16) |
    | `TVq` | 📺 Television | `MZ` | MZ header |
    | `UEs` | 🏬 Upper East Side | `PK` | ZIP, Office documents |
    | `SUVY` | 🚙 SUV | `IEX` | PowerShell Invoke Expression |
    | `SQBFAF` | 🐣 Squab favorite | `I.E.` | PowerShell Invoke Expression (UTF-16) |
    | `SQBuAH` | 🐣 Squab uahhh | `I.n.` | PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz` |
    @@ -20,11 +19,12 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4sIA` | 🚁 HForce (Helicopter Force) I agree | | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |
    | `Y21k` | 🎆 Year 21k bug | `cmd` | As used in `cmd.exe /c wscript.exe` or the like |
    | `IAB` | 🥱 I am bored | ` s` | wide lower case `s`, often something like `sEt-iTem` |
    | `cABhAH` | 🕋 Kaaba | `p.a.` | wide formatted `param` |
    | `Qzpc` | 🖥 Quiz PC | `C:\` | Root of Windows partition (upper case) |
    | `Yzpc` | 🖥 Yes PC | `c:\` | Root of Windows partition (lower case) |
    | `UEs` | 🏬 Upper East Side | `PK` | ZIP, Office documents |
    | `ey` | 🗣 Hey | `{ ` | Indicates JSON data |
    | `IAB` | 🥱 I am bored | ` s` | wide lower case `s`, often something like `sEt-iTem` |
    | `cABhAH` | 🕋 Kaaba | `p.a.` | wide formatted `param` |

    \* the `.` stands for `0x00`

  4. @Neo23x0 Neo23x0 revised this gist Jul 8, 2020. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -24,6 +24,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `Yzpc` | 🖥 Yes PC | `c:\` | Root of Windows partition (lower case) |
    | `ey` | 🗣 Hey | `{ ` | Indicates JSON data |
    | `IAB` | 🥱 I am bored | ` s` | wide lower case `s`, often something like `sEt-iTem` |
    | `cABhAH` | 🕋 Kaaba | `p.a.` | wide formatted `param` |

    \* the `.` stands for `0x00`

  5. @Neo23x0 Neo23x0 revised this gist Jan 25, 2020. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -12,7 +12,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `SQBuAH` | 🐣 Squab uahhh | `I.n.` | PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz` |
    | `PAA` | 💪 "Pah!" | `<.` | Often used by Emotet (UTF-16) |
    | `cwBhA` | 🦁 Chewbaka | `s.a.` | Often used in malicious droppers (UTF-16) 'sal' instead of 'var' |
    | `aWV4` | Awe version 4 | `iex` | PowerShell Invoke Expression |
    | `aWV4` | 😲 Awe version 4 | `iex` | PowerShell Invoke Expression |
    | `aQBlA` | 💦 Aqua Blah (aquaplaning) | `i.e.` | PowerShell Invoke Expression (UTF-16) |
    | `R2V0` | 🤖 R2D2 but version 0 | `Get` | Often used to obfuscate imports like GetCurrentThreadId |
    | `dmFy` | 👹 defy / demonify | `var` | Variable declaration |
  6. @Neo23x0 Neo23x0 revised this gist Jan 25, 2020. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -9,6 +9,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `UEs` | 🏬 Upper East Side | `PK` | ZIP, Office documents |
    | `SUVY` | 🚙 SUV | `IEX` | PowerShell Invoke Expression |
    | `SQBFAF` | 🐣 Squab favorite | `I.E.` | PowerShell Invoke Expression (UTF-16) |
    | `SQBuAH` | 🐣 Squab uahhh | `I.n.` | PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz` |
    | `PAA` | 💪 "Pah!" | `<.` | Often used by Emotet (UTF-16) |
    | `cwBhA` | 🦁 Chewbaka | `s.a.` | Often used in malicious droppers (UTF-16) 'sal' instead of 'var' |
    | `aWV4` | Awe version 4 | `iex` | PowerShell Invoke Expression |
  7. @Neo23x0 Neo23x0 revised this gist Jan 21, 2020. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -22,7 +22,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `Qzpc` | 🖥 Quiz PC | `C:\` | Root of Windows partition (upper case) |
    | `Yzpc` | 🖥 Yes PC | `c:\` | Root of Windows partition (lower case) |
    | `ey` | 🗣 Hey | `{ ` | Indicates JSON data |
    | `IAB` | 🥱 I am bored | ` s` | wide formatted lower case `s`, often something like `sEt-iTem` |
    | `IAB` | 🥱 I am bored | ` s` | wide lower case `s`, often something like `sEt-iTem` |

    \* the `.` stands for `0x00`

  8. @Neo23x0 Neo23x0 revised this gist Jan 21, 2020. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -22,6 +22,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `Qzpc` | 🖥 Quiz PC | `C:\` | Root of Windows partition (upper case) |
    | `Yzpc` | 🖥 Yes PC | `c:\` | Root of Windows partition (lower case) |
    | `ey` | 🗣 Hey | `{ ` | Indicates JSON data |
    | `IAB` | 🥱 I am bored | ` s` | wide formatted lower case `s`, often something like `sEt-iTem` |

    \* the `.` stands for `0x00`

  9. @Neo23x0 Neo23x0 revised this gist Dec 10, 2019. 1 changed file with 3 additions and 2 deletions.
    5 changes: 3 additions & 2 deletions Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -19,8 +19,9 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4sIA` | 🚁 HForce (Helicopter Force) I agree | | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |
    | `Y21k` | 🎆 Year 21k bug | `cmd` | As used in `cmd.exe /c wscript.exe` or the like |
    | `Qzpc` | 🖥 Quiz PC | `C:\` | Root of Windows partition (upper case)|
    | `Yzpc` | 🖥 Yes PC | `c:\` | Root of Windows partition (lower case)|
    | `Qzpc` | 🖥 Quiz PC | `C:\` | Root of Windows partition (upper case) |
    | `Yzpc` | 🖥 Yes PC | `c:\` | Root of Windows partition (lower case) |
    | `ey` | 🗣 Hey | `{ ` | Indicates JSON data |

    \* the `.` stands for `0x00`

  10. @Neo23x0 Neo23x0 revised this gist Dec 2, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -20,7 +20,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `H4sIA` | 🚁 HForce (Helicopter Force) I agree | | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |
    | `Y21k` | 🎆 Year 21k bug | `cmd` | As used in `cmd.exe /c wscript.exe` or the like |
    | `Qzpc` | 🖥 Quiz PC | `C:\` | Root of Windows partition (upper case)|
    | `Yzpc` | 🖥 Yes PC | `C:\` | Root of Windows partition (lower case)|
    | `Yzpc` | 🖥 Yes PC | `c:\` | Root of Windows partition (lower case)|

    \* the `.` stands for `0x00`

  11. @Neo23x0 Neo23x0 revised this gist Dec 2, 2019. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -19,6 +19,8 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4sIA` | 🚁 HForce (Helicopter Force) I agree | | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |
    | `Y21k` | 🎆 Year 21k bug | `cmd` | As used in `cmd.exe /c wscript.exe` or the like |
    | `Qzpc` | 🖥 Quiz PC | `C:\` | Root of Windows partition (upper case)|
    | `Yzpc` | 🖥 Yes PC | `C:\` | Root of Windows partition (lower case)|

    \* the `.` stands for `0x00`

  12. @Neo23x0 Neo23x0 revised this gist Dec 2, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -18,7 +18,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dgBhA` | debugger + high availability | `v.a.` | Variable declaration (UTF-16) |
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4sIA` | 🚁 HForce (Helicopter Force) I agree | | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |
    | `Y21k` | 🎆 Year 21k bug | cmd | As used in `cmd.exe /c wscript.exe` or the like |
    | `Y21k` | 🎆 Year 21k bug | `cmd` | As used in `cmd.exe /c wscript.exe` or the like |

    \* the `.` stands for `0x00`

  13. @Neo23x0 Neo23x0 revised this gist Dec 2, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -18,7 +18,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dgBhA` | debugger + high availability | `v.a.` | Variable declaration (UTF-16) |
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4sIA` | 🚁 HForce (Helicopter Force) I agree | | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |
    | `Y21k` | 🎆 Year 21k bug | cmd as in `cmd.exe /c wscript.exe` or the like |
    | `Y21k` | 🎆 Year 21k bug | cmd | As used in `cmd.exe /c wscript.exe` or the like |

    \* the `.` stands for `0x00`

  14. @Neo23x0 Neo23x0 revised this gist Dec 2, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -18,7 +18,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dgBhA` | debugger + high availability | `v.a.` | Variable declaration (UTF-16) |
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4sIA` | 🚁 HForce (Helicopter Force) I agree | | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |
    | `Y21k` | 🎆 Year 21-thousand bug | cmd as in `cmd.exe /c wscript.exe` or the like |
    | `Y21k` | 🎆 Year 21k bug | cmd as in `cmd.exe /c wscript.exe` or the like |

    \* the `.` stands for `0x00`

  15. @Neo23x0 Neo23x0 revised this gist Dec 2, 2019. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -18,6 +18,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dgBhA` | debugger + high availability | `v.a.` | Variable declaration (UTF-16) |
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4sIA` | 🚁 HForce (Helicopter Force) I agree | | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |
    | `Y21k` | 🎆 Year 21-thousand bug | cmd as in `cmd.exe /c wscript.exe` or the like |

    \* the `.` stands for `0x00`

  16. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. 1 changed file with 11 additions and 11 deletions.
    22 changes: 11 additions & 11 deletions Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -4,20 +4,20 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi

    | Base64 Code | Mnemonic Aid | Decoded* | Description |
    |-------------|--------------|----------|------------------------------------------|
    | `JAB` | Jabber 🗣 | `$.` | Variable declaration (UTF-16) |
    | `TVq` | Television 📺 | `MZ` | MZ header |
    | `UEs` | Upper East Side 🏬 | `PK` | ZIP, Office documents |
    | `SUVY` | SUV 🚙 | `IEX` | PowerShell Invoke Expression |
    | `SQBFAF` | Squab 🐣 favorite | `I.E.` | PowerShell Invoke Expression (UTF-16) |
    | `PAA` | "Pah!" 💪 | `<.` | Often used by Emotet (UTF-16) |
    | `cwBhA` | Chewbaka 🦁 | `s.a.` | Often used in malicious droppers (UTF-16) 'sal' instead of 'var' |
    | `JAB` | 🗣 Jabber | `$.` | Variable declaration (UTF-16) |
    | `TVq` | 📺 Television | `MZ` | MZ header |
    | `UEs` | 🏬 Upper East Side | `PK` | ZIP, Office documents |
    | `SUVY` | 🚙 SUV | `IEX` | PowerShell Invoke Expression |
    | `SQBFAF` | 🐣 Squab favorite | `I.E.` | PowerShell Invoke Expression (UTF-16) |
    | `PAA` | 💪 "Pah!" | `<.` | Often used by Emotet (UTF-16) |
    | `cwBhA` | 🦁 Chewbaka | `s.a.` | Often used in malicious droppers (UTF-16) 'sal' instead of 'var' |
    | `aWV4` | Awe version 4 | `iex` | PowerShell Invoke Expression |
    | `aQBlA` | Aqua Blah (aquaplaning) 💦 | `i.e.` | PowerShell Invoke Expression (UTF-16) |
    | `R2V0` | R2D2 🤖 but version 0 | `Get` | Often used to obfuscate imports like GetCurrentThreadId |
    | `dmFy` | defy / demonify 👹 | `var` | Variable declaration |
    | `aQBlA` | 💦 Aqua Blah (aquaplaning) | `i.e.` | PowerShell Invoke Expression (UTF-16) |
    | `R2V0` | 🤖 R2D2 but version 0 | `Get` | Often used to obfuscate imports like GetCurrentThreadId |
    | `dmFy` | 👹 defy / demonify | `var` | Variable declaration |
    | `dgBhA` | debugger + high availability | `v.a.` | Variable declaration (UTF-16) |
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4sIA` | HForce (Helicopter Force) 🚁 I agree | | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |
    | `H4sIA` | 🚁 HForce (Helicopter Force) I agree | | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |

    \* the `.` stands for `0x00`

  17. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. No changes.
  18. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -17,7 +17,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dmFy` | defy / demonify 👹 | `var` | Variable declaration |
    | `dgBhA` | debugger + high availability | `v.a.` | Variable declaration (UTF-16) |
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4s` | Has | `\x1f\x8bv08\x00` | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |
    | `H4sIA` | HForce (Helicopter Force) 🚁 I agree | | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |

    \* the `.` stands for `0x00`

  19. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -17,7 +17,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dmFy` | defy / demonify 👹 | `var` | Variable declaration |
    | `dgBhA` | debugger + high availability | `v.a.` | Variable declaration (UTF-16) |
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4s` | Has | `\x1f\x8bv08\x00` | gzip magic bytes (0x1f8b), e.g. echo 'test' \| gzip -cf \| base64` |
    | `H4s` | Has | `\x1f\x8bv08\x00` | gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64` |

    \* the `.` stands for `0x00`

  20. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. No changes.
  21. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -17,7 +17,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dmFy` | defy / demonify 👹 | `var` | Variable declaration |
    | `dgBhA` | debugger + high availability | `v.a.` | Variable declaration (UTF-16) |
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4s` | Has | `\x1f\x8bv08\x00` | gzip magic bytes (0x1f8b), e.g. echo 'test' | gzip -cf | base64` |
    | `H4s` | Has | `\x1f\x8bv08\x00` | gzip magic bytes (0x1f8b), e.g. echo 'test' \| gzip -cf \| base64` |

    \* the `.` stands for `0x00`

  22. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -17,7 +17,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dmFy` | defy / demonify 👹 | `var` | Variable declaration |
    | `dgBhA` | debugger + high availability | `v.a.` | Variable declaration (UTF-16) |
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4s` | Has | `\x1f\x8bv08\x00` | gzip magic bytes (0x1f8b) |
    | `H4s` | Has | `\x1f\x8bv08\x00` | gzip magic bytes (0x1f8b), e.g. echo 'test' | gzip -cf | base64` |

    \* the `.` stands for `0x00`

  23. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -17,7 +17,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dmFy` | defy / demonify 👹 | `var` | Variable declaration |
    | `dgBhA` | debugger + high availability | `v.a.` | Variable declaration (UTF-16) |
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4s` | Has | | gzip magic bytes (0x1f8b) |
    | `H4s` | Has | `\x1f\x8bv08\x00` | gzip magic bytes (0x1f8b) |

    \* the `.` stands for `0x00`

  24. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. 1 changed file with 17 additions and 4 deletions.
    21 changes: 17 additions & 4 deletions Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -23,14 +23,27 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi

    # Cyber Chef Recipe

    https://gchq.github.io/CyberChef/#recipe=Fork('%5C%5Cn','%5C%5Cn',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=SkFCClRWcQpQQUEKU1VWWQpTUUJGQUYKYVdWNAphUUJsQQpSMlYwCmRtRnkKZGdCaEEKY3dCaEEKZFhOcGJt

    https://gchq.github.io/CyberChef/#recipe=Fork('%5C%5Cn','%5C%5Cn',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=SkFCClRWcQpQQUEKU1VWWQpTUUJGQUYKYVdWNAphUUJsQQpSMlYwCmRtRnkKZGdCaEEKY3dCaEEKZFhOcGJtCkg0c0lBRldXc2wwQUF5dEpMUzdoQWdER05iazdCUUFBQUE9PQ
    # References

    # Tweet

    Tweet and Thread https://twitter.com/cyb3rops/status/1187341941794660354
    Tweet and Thread
    https://twitter.com/cyb3rops/status/1187341941794660354

    ## JAB

    https://www.hybrid-analysis.com/sample/ce0415b6661ef66bbedb69896ad1ece9ee4e6dfde9925e9612aec7bbf1cb7bc5?environmentId=100

    ## PAA

    Emotet process command line
    https://app.any.run/tasks/dfba6d53-7a93-4d8b-86ba-4e737ad06b06/

    ## cwBha

    https://www.hybrid-analysis.com/sample/b744129bfe54de8b36d7556ddfcc55d0be213129041aacf52b7d2f57012caa60?environmentId=100
    Explanation
    https://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/

    Sample
    https://www.hybrid-analysis.com/sample/b744129bfe54de8b36d7556ddfcc55d0be213129041aacf52b7d2f57012caa60?environmentId=100
  25. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -17,6 +17,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `dmFy` | defy / demonify 👹 | `var` | Variable declaration |
    | `dgBhA` | debugger + high availability | `v.a.` | Variable declaration (UTF-16) |
    | `dXNpbm` | Dixon problem | `usin` | Often found in compile after delivery attacks |
    | `H4s` | Has | | gzip magic bytes (0x1f8b) |

    \* the `.` stands for `0x00`

  26. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -2,8 +2,8 @@

    MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encoding

    | Base64 Code | Mnemonic | Decoded* | Description |
    |-------------|----------|----------|------------------------------------------|
    | Base64 Code | Mnemonic Aid | Decoded* | Description |
    |-------------|--------------|----------|------------------------------------------|
    | `JAB` | Jabber 🗣 | `$.` | Variable declaration (UTF-16) |
    | `TVq` | Television 📺 | `MZ` | MZ header |
    | `UEs` | Upper East Side 🏬 | `PK` | ZIP, Office documents |
  27. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -11,7 +11,7 @@ MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encodi
    | `SQBFAF` | Squab 🐣 favorite | `I.E.` | PowerShell Invoke Expression (UTF-16) |
    | `PAA` | "Pah!" 💪 | `<.` | Often used by Emotet (UTF-16) |
    | `cwBhA` | Chewbaka 🦁 | `s.a.` | Often used in malicious droppers (UTF-16) 'sal' instead of 'var' |
    | `aWV4` | Awe Version 4 | `iex` | PowerShell Invoke Expression |
    | `aWV4` | Awe version 4 | `iex` | PowerShell Invoke Expression |
    | `aQBlA` | Aqua Blah (aquaplaning) 💦 | `i.e.` | PowerShell Invoke Expression (UTF-16) |
    | `R2V0` | R2D2 🤖 but version 0 | `Get` | Often used to obfuscate imports like GetCurrentThreadId |
    | `dmFy` | defy / demonify 👹 | `var` | Variable declaration |
  28. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. No changes.
  29. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -3,7 +3,7 @@
    MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encoding

    | Base64 Code | Mnemonic | Decoded* | Description |
    |-------------|---------------------------------|----------|-------------------|
    |-------------|----------|----------|------------------------------------------|
    | `JAB` | Jabber 🗣 | `$.` | Variable declaration (UTF-16) |
    | `TVq` | Television 📺 | `MZ` | MZ header |
    | `UEs` | Upper East Side 🏬 | `PK` | ZIP, Office documents |
  30. @Neo23x0 Neo23x0 revised this gist Oct 25, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Base64_CheatSheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -3,7 +3,7 @@
    MITRE ATT4CK - [T1132](https://attack.mitre.org/techniques/T1132/) - Data Encoding

    | Base64 Code | Mnemonic | Decoded* | Description |
    |-------------|---------------------------|----------|--------------------------|
    |-------------|---------------------------------|----------|-------------------|
    | `JAB` | Jabber 🗣 | `$.` | Variable declaration (UTF-16) |
    | `TVq` | Television 📺 | `MZ` | MZ header |
    | `UEs` | Upper East Side 🏬 | `PK` | ZIP, Office documents |