Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Searching for Base64-encoded PE Files - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Searching for Base64-encoded PE Files

When hunting for suspicious activity, it's always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters "MZ" at the beginning of the file[1]. But, to bypass classic controls, those files are often obfuscated (XOR, Rot13 or Base64). Base64 is very common and it's easy to search for Base64 encoded PE files by searching the following characters:

TVoA
TVpB
TVpQ
TVqA
TVqQ
TVro

(Credits go to a tweet from Paul Melson[2])

I added a new regular expression to my Pastebin scrapper:

TV(oA|pB|pQ|qA|qQ|ro)\w+

It already matched against interesting pasties :-)

The same filter can be applied to your IDS config, YARA rule, email filters, etc...

[1] https://en.m.wikipedia.org/wiki/DOS_MZ_executable
[2] https://twitter.com/pmelson

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

264 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!