Base64 Encoded Character Distribution

Little project I was working on to determine the distribution of uppercase, lowercase, and numerical characters in Base64. I was talking to a coworker trying to figure out how to detect exfiltration attempts in DNS logs, when this idea occured to me. I figured since Base64 regex is pretty bad (considering it’s just plain-text), I wanted a better way to figure out how to determine Base64 from plain-text, without having to muck around in AI/ML/NN.

Huge thanks to the following sources for allowing me to grab their data:

Read More

Beating EDR Detections

EDR 101

Anti-virus products used to search for static Indicators of Compromise (IOC), which typically took the form of an MD5 checksum, a url, or a filename. Well, referencing the “Pyramid of Pain” of IOCs, we can see that these are trivial for adversaries to change. It’s not unknown for APTs to change attack infrastructure in the middle of a campaign in order to foil any attempt at detecting their static IOCs.

Enter EDR.

Read More