031. What's Hex Staging and How to Detect It

Hello everyone! Let's talk about Hex Staging technique. I saw it in Unit42 report on CL-STA-0048


So, a threat actor incrementally writes hex-encoded data into a temporary file piece by piece, and evades defenses this way. For example:

cmd.exe /c >> "path_to_temp_file" set /p="hex_encoded_data"

To decode the hex data back into ASCII, the adversary leveraged certutil, for example:

cmd.exe /c certUtil -decodehex "path_to_temp_file" "path_to_decoded_file"

As you can see, detecting it is quite easy:

  • Look for cmd.exe executions with "set /p=" in arguments
  • Look for certutil.exe executions with "-decodehex"
Make sure you've checked the report - there're lots of interesting techniques inside!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!