In Windows Forensics, ROT13 is famously used in the UserAssist registry keys (located in NTUSER.DAT). Windows obfuscates the paths of executed programs here so they aren't immediately human-readable, though it offers no cryptographic security.
Attackers often use ROT13 (or variants like ROT47) to hide strings inside binaries or scripts to evade static signature detection. It is computationally cheap and easy to implement in any language without importing external crypto libraries.
Base64 is essential for transmitting binary data (like images or executables) over text-based protocols like Email (MIME). Windows PowerShell also accepts Base64 encoded scripts via the -EncodedCommand parameter to avoid syntax errors with special characters.
This is a hallmark of "Fileless Malware." Attackers execute obfuscated PowerShell commands (e.g., powershell.exe -enc <Base64>) to run malicious code directly in memory, bypassing disk-based antivirus scans. It is also used to encode stolen data before exfiltration to bypass network string filters.