(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

When hunting for suspicious activity, its always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters MZ at the beginning of the file[1]. But, to bypass classic controls, those files are often obfuscated (XOR, Rot13 or Base64). Base64 is very common and it padding:5px 10px"> TV(oA|pB|pQ|qA|qQ|ro)\w+

It already matched against interesting pasties :-)

The same filter can be applied to your IDS config, YARA rule, email filters, etc...

[1] https://en.m.wikipedia.org/wiki/DOS_MZ_executable
[2] https://twitter.com/pmelson

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Internet Storm Center Infocon Status