Information Security News
When hunting for suspicious activity, its always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters MZ at the beginning of the file. But, to bypass classic controls, those files are often obfuscated (XOR, Rot13 or Base64). Base64 is very common and it padding:5px 10px"> TV(oA|pB|pQ|qA|qQ|ro)\w+
It already matched against interesting pasties :-)
The same filter can be applied to your IDS config, YARA rule, email filters, etc...
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant