TH16107
Detected presence of files that embed a Base-encoded executable.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
pass | high | high | None | None |
About the issueโ
Attackers commonly hide their malicious payloads in layers of packing and code obfuscation. Base-encoding is a common data transformation technique used to convert Windows executable files into textual payloads. Detected software behaviors indicate that the code has the ability to decode and execute Base-encoded executables. While presence of dynamic code execution does not imply malicious intent, all of its uses in a software package should be documented and approved. When a software package has behavior traits similar to malicious software, it may become flagged by security solutions. One example of acceptable use for embedding Base-encoded Windows executables is the intent to transfer the software components over the network.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1027 - Obfuscated Files or Information.
- Consider an alternative delivery mechanism for software packages.
Recommended readingโ
- T1027 - Obfuscated Files or Information (External resource - Mitre ATT&CK documentation)
- Binary-to-text encoding (External resource - Wikipedia)