031. What's Hex Staging and How to Detect It
Hello everyone! Let's talk about Hex Staging technique. I saw it in Unit42 report on CL-STA-0048.
So, a threat actor incrementally writes hex-encoded data into a temporary file piece by piece, and evades defenses this way. For example:
cmd.exe /c >> "path_to_temp_file" set /p="hex_encoded_data"
To decode the hex data back into ASCII, the adversary leveraged certutil, for example:
cmd.exe /c certUtil -decodehex "path_to_temp_file" "path_to_decoded_file"
As you can see, detecting it is quite easy:
- Look for cmd.exe executions with "set /p=" in arguments
- Look for certutil.exe executions with "-decodehex"
Make sure you've checked the report - there're lots of interesting techniques inside!
See you tomorrow!
Comments
Post a Comment