Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Searching for Base64-encoded PE Files - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Searching for Base64-encoded PE Files

When hunting for suspicious activity, it's always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters "MZ" at the beginning of the file[1]. But, to bypass classic controls, those files are often obfuscated (XOR, Rot13 or Base64). Base64 is very common and it's easy to search for Base64 encoded PE files by searching the following characters:


(Credits go to a tweet from Paul Melson[2])

I added a new regular expression to my Pastebin scrapper:


It already matched against interesting pasties :-)

The same filter can be applied to your IDS config, YARA rule, email filters, etc...


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Amsterdam August 2022


697 Posts
ISC Handler
Mar 19th 2017

Sign Up for Free or Log In to start participating in the conversation!