031. What's Hex Staging and How to Detect It
Hello everyone! Let's talk about Hex Staging technique. I saw it in Unit42 report on CL-STA-0048 . So, a threat actor incrementally writes hex-encoded data into a temporary file piece by piece, and evades defenses this way. For example: cmd.exe /c >> "path_to_temp_file" set /p="hex_encoded_data" To decode the hex data back into ASCII, the adversary leveraged certutil, for example: cmd.exe /c certUtil -decodehex "path_to_temp_file" "path_to_decoded_file" As you can see, detecting it is quite easy: Look for cmd.exe executions with " set /p= " in arguments Look for certutil.exe executions with " -decodehex " Make sure you've checked the report - there're lots of interesting techniques inside! See you tomorrow!