When hunting for suspicious activity, its always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters MZ at the beginning of the file[1]. But, to bypass classic controls, those files are often obfuscated (XOR, Rot13 or Base64). Base64 is very common and it padding:5px 10px"> TV(oA|pB|pQ|qA|qQ|ro)\w+
It already matched against interesting pasties :-)
The same filter can be applied to your IDS config, YARA rule, email filters, etc...
[1] https://en.m.wikipedia.org/wiki/DOS_MZ_executable
[2] https://twitter.com/pmelson
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key