Searching for Base64-encoded PE Files
When hunting for suspicious activity, it's always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters "MZ" at the beginning of the file[1]. But, to bypass classic controls, those files are often obfuscated (XOR, Rot13 or Base64). Base64 is very common and it's easy to search for Base64 encoded PE files by searching the following characters:
TVoA TVpB TVpQ TVqA TVqQ TVro
(Credits go to a tweet from Paul Melson[2])
I added a new regular expression to my Pastebin scrapper:
TV(oA|pB|pQ|qA|qQ|ro)\w+
It already matched against interesting pasties :-)
The same filter can be applied to your IDS config, YARA rule, email filters, etc...
[1] https://en.m.wikipedia.org/wiki/DOS_MZ_executable
[2] https://twitter.com/pmelson
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments