TH16103
Detected presence of files that dynamically execute Base-encoded data.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
pass | medium | high | None | None |
About the issueโ
Attackers commonly hide their malicious payloads in layers of packing and code obfuscation. Base-encoding is a common data transformation technique used to convert binary payloads into text. Detected software behaviors indicate that the code has the ability to decode and execute Base-encoded data. While presence of dynamic code execution does not imply malicious intent, all of its uses in a software package should be documented and approved. When a software package has behavior traits similar to malicious software, it may become flagged by security solutions. One example of acceptable use for dynamic Base-encoded data execution is transfer of software components over the network.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1027 - Obfuscated Files or Information.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1027 - Obfuscated Files or Information (External resource - Mitre ATT&CK documentation)
- Binary-to-text encoding (External resource - Wikipedia)