Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2017-03-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Searching for Base64-encoded PE Files

Published: 2017-03-19
Last Updated: 2017-03-19 20:57:14 UTC
by Xavier Mertens (Version: 2)
0 comment(s)

When hunting for suspicious activity, it's always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters "MZ" at the beginning of the file[1]. But, to bypass classic controls, those files are often obfuscated (XOR, Rot13 or Base64). Base64 is very common and it's easy to search for Base64 encoded PE files by searching the following characters:

TVoA
TVpB
TVpQ
TVqA
TVqQ
TVro

(Credits go to a tweet from Paul Melson[2])

I added a new regular expression to my Pastebin scrapper:

TV(oA|pB|pQ|qA|qQ|ro)\w+

It already matched against interesting pasties :-)

The same filter can be applied to your IDS config, YARA rule, email filters, etc...

[1] https://en.m.wikipedia.org/wiki/DOS_MZ_executable
[2] https://twitter.com/pmelson

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)
Diary Archives