Lee Kirkpatrick

Hex Encoded Executables

Blog Post created by Lee Kirkpatrick Employee on Feb 26, 2019

Attackers are continuously evolving in order to evade detection.  A popular method often utilized is encoding. An attacker may choose to, for example, encode their malicious binaries in order to evade detection; attackers can use a diverse range of techniques to achieve this, but in this post, we are focusing on an example of a hex encoded executable. The executable chosen for this example was not malicious, but a legitimate signed Microsoft binary.

 

This method of evading detection was observed in the wild by the RSA Incident Response team. Due to the close relationship between the Incident Response Team and RSA's Content Team, a request for this content was submitted by IR, and was published to RSA Live yesterday. The following post demonstrates the Incident Response team testing the newly developed content.

 

The Microsoft binary was converted to hexadecimal and uploaded onto Pastebin, which is an example of what attackers are often seen doing:  

 

A simple PowerShell script was written to download and decode the hexadecimal encoded executable and save it to the Temp directory:

 

Typically, the above PowerShell would be Base64 encoded and the IR team would normally see something like the below:

 

After executing the PowerShell script. It is possible to see the dllhost.exe was successfully decoded and saved into Temp directory:

 

Upon perusing the packet metadata, the analyst would be able to easily spot the download of this hex encoded executable by looking under the Indicator of Compromise key:

 

Conclusion

It is important to always keep the RSA NetWitness platform up to date with the latest content. RSA Live allows analysts to subscribe to content, as well as receive updates on when newly developed content is available. For more information on setting up RSA Live, please see: Live: Create Live Account 

Outcomes