fix: add support for base64 modifier

[fukusuket]

What Changed

• Closed [bug] Rule parse error occurs when base64 modifier is used #1677

Evidence

Integration-Test

• https://github.com/Yamato-Security/hayabusa/actions/runs/16975070250

I’d appreciate it if you could check it when you have time🙏

[fukusuket]

base64

title: TEST Rule
id: xx8f009-02f9-7db7-6504-25193624ab0a
status: test
author: TEST
date: 2025-08-15
logsource:
    category: process_creation
    product: windows
detection:
    process_creation:
        EventID: 1
        Channel: Microsoft-Windows-Sysmon/Operational
    selection:
        CommandLine|base64|contains: '$XX=IEX(('
    condition: process_creation and selection
level: high

% ./hayabusa csv-timeline -d ../data/hayabusa-sample-evtx-main -r test.yml -w -q
Start time: 2025/08/15 04:45
Total event log files: 598
Total file size: 132.7 MiB

Loading detection rules. Please wait.


Test rules: 1 (100.00%)

Expand rules: 0 (0.00%)
Enabled expand rules: 0 (0.00%)

Other rules: 1
Total detection rules: 1

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 222
Detection rules enabled after channel filter: 1

Output profile: standard

Scanning in progress. Please wait.

Timestamp · RuleTitle · Level · Computer · Channel · EventID · RecordID · Details · ExtraFieldInfo · RuleID
2019-08-14 21:17:14.893 +09:00 · TEST Rule · high · MSEDGEWIN10 · Sysmon · 1 · 10675 · Cmdline: "c:\windows\system32\wscript.exe" /E:vbs c:\windows\temp\icon.ico "powershell -exec bypass -c ""IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""" ¦ Proc: C:\Windows\System32\wscript.exe ¦ User: MSEDGEWIN10\IEUser ¦ ParentCmdline: "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} ¦ LID: 0x29126 ¦ LGUID: 747F3D96-F419-5D53-0000-002026910200 ¦ PID: 2876 ¦ PGUID: 747F3D96-FBCA-5D53-0000-001036784100 ¦ ParentPID: 2476 ¦ ParentPGUID: 747F3D96-FBCA-5D53-0000-0010B8664100 ¦ Description: Microsoft ® Windows Based Script Host ¦ Product: Microsoft ® Windows Script Host ¦ Company: Microsoft Corporation ¦ Hashes: SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C · CurrentDirectory: C:\Windows\system32\ ¦ FileVersion: 5.812.10240.16384 ¦ IntegrityLevel: Medium ¦ ParentImage: C:\Windows\System32\rundll32.exe ¦ RuleName:  ¦ TerminalSessionId: 1 ¦ UtcTime: 2019-08-14 12:17:14.661 · xx8f009-02f9-7db7-6504-25193624ab0a

2019-08-14 20:53:30.022 +09:00 · TEST Rule · high · MSEDGEWIN10 · Sysmon · 1 · 10662 · Cmdline: "c:\windows\system32\wscript.exe" /E:vbs c:\windows\temp\icon.ico "powershell -exec bypass -c ""IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""" ¦ Proc: C:\Windows\System32\wscript.exe ¦ User: MSEDGEWIN10\IEUser ¦ ParentCmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding ¦ LID: 0x29126 ¦ LGUID: 747F3D96-F419-5D53-0000-002026910200 ¦ PID: 8180 ¦ PGUID: 747F3D96-F639-5D53-0000-0010B0FC2600 ¦ ParentPID: 6000 ¦ ParentPGUID: 747F3D96-F639-5D53-0000-001092EE2600 ¦ Description: Microsoft ® Windows Based Script Host ¦ Product: Microsoft ® Windows Script Host ¦ Company: Microsoft Corporation ¦ Hashes: SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C · CurrentDirectory: C:\Windows\system32\ ¦ FileVersion: 5.812.10240.16384 ¦ IntegrityLevel: Medium ¦ ParentImage: C:\Windows\explorer.exe ¦ RuleName:  ¦ TerminalSessionId: 1 ¦ UtcTime: 2019-08-14 11:53:29.768 · xx8f009-02f9-7db7-6504-25193624ab0a

Scanning finished.

Rule Authors:

╭──────────╮
│ TEST (1) │
╰──────────╯

Results Summary:

Events with hits / Total events: 2 / 3,421 (Data reduction: 3,419 events (99.94%))

Total | Unique detections: 2 | 1
Total | Unique emergency detections: 0 (0.00%) | 0 (0.00%)
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 2 (100.00%) | 1 (0.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (100.00%)
Total | Unique informational detections: 0 (0.00%) | 0 (0.00%)

First Timestamp: 2019-02-16 19:01:46.884 +09:00
Last Timestamp: 2022-08-29 14:35:43.374 +09:00

Dates with most total detections:
emergency: n/a, critical: n/a, high: 2019-08-14 (2), medium: n/a, low: n/a, informational: n/a

Top 5 computers with most unique detections:
emergency: n/a
critical: n/a
high: MSEDGEWIN10 (1)
medium: n/a
low: n/a
informational: n/a

╭───────────────────────────────────────────────────╮
│ Top emergency alerts:   Top critical alerts:      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                     n/a                       │
│ n/a                     n/a                       │
│ n/a                     n/a                       │
│ n/a                     n/a                       │
│ n/a                     n/a                       │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top high alerts:        Top medium alerts:        │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ TEST Rule (2)           n/a                       │
│ n/a                     n/a                       │
│ n/a                     n/a                       │
│ n/a                     n/a                       │
│ n/a                     n/a                       │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top low alerts:         Top informational alerts: │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                     n/a                       │
│ n/a                     n/a                       │
│ n/a                     n/a                       │
│ n/a                     n/a                       │
│ n/a                     n/a                       │
╰───────────────────────╌───────────────────────────╯

Elapsed time: 00:00:00.236

[Copilot]

Pull Request Overview

This pull request adds support for the base64 modifier to the rule matching system, providing an alternative to the existing base64offset modifier. The key enhancement allows rules to use simple base64 encoding without the offset variations.

• Adds base64 as a new pipe element modifier alongside the existing base64offset
• Implements UTF-8, UTF-16LE, and UTF-16BE base64 encoding functions
• Updates the matcher logic to handle base64|contains patterns

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
src/detections/rule/matchers.rs	Adds Base64 enum variant and implements matching logic for base64 modifier with various encoding types
src/detections/rule/base64_match.rs	Implements new base64 encoding functions for UTF-8, UTF-16LE, and UTF-16BE with comprehensive tests
src/options/profile.rs	Refactors code to use if-let pattern instead of unwrap chains for better safety

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[YamatoSecurity]

@fukusuket Sorry, I think I might have caused the same problem with hayabusa-evtx or clippy changed. Could you take a look at this one?

[YamatoSecurity]

@fukusuket Sorry! I was trying to see if I could easily fix it on my end.. I will leave it to you! 🙏

[fukusuket]

@YamatoSecurity
I think that it seems possible to have the AI automatically fix and commit, but this time I'm doing it manually😅 I fixed it!

[YamatoSecurity]

@fukusuket Thanks! Yea, I wouldn't trust AI blindly to fix things. I trusted cargo clippy --all-targets --all-features -- -D warnings though. 😉

[YamatoSecurity]

LGTM! Thanks so much!