Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Searching for Base64-encoded PE Files SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Searching for Base64-encoded PE Files

When hunting for suspicious activity, it's always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters "MZ" at the beginning of the file[1]. But, to bypass classic controls, those files are often obfuscated (XOR, Rot13 or Base64). Base64 is very common and it's easy to search for Base64 encoded PE files by searching the following characters:

TVoA
TVpB
TVpQ
TVqA
TVqQ
TVro

(Credits go to a tweet from Paul Melson[2])

I added a new regular expression to my Pastebin scrapper:

TV(oA|pB|pQ|qA|qQ|ro)\w+

It already matched against interesting pasties :-)

The same filter can be applied to your IDS config, YARA rule, email filters, etc...

[1] https://en.m.wikipedia.org/wiki/DOS_MZ_executable
[2] https://twitter.com/pmelson

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Amsterdam August 2020 Part 2

Xme

532 Posts
ISC Handler
Mar 19th 2017

Sign Up for Free or Log In to start participating in the conversation!