100 Days of YARA – Day 32: Base64 Alphabet

On By DanielIn 100 days of Yara

This simple rule searches for the Base64 alphabet. Files matching this rule have likely implemented base64.

I ran this rule against the files contained in /bin on my system. Analyzing a handful of matches revealed that all of them did in fact implement the base64 algorithm.

rule base64_alphabet
{
	meta:
		description = "Base64 alphabet"

	strings:
		$ = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ascii wide

	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 32: Base64 Alphabet

  1. Pingback: Week 04 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s