Overview

As a network defender, you are tasked with finding a needle in a needlestack where the needle you’re looking for may or may not exist, and you don’t know exactly what the needle looks like in the first place. On top of that, the need maker tries very hard to make their needle look like all the other needles.

That is a really hard job, and it can be very daunting for someone who is new to the job to be able to differentiate good from bad. The number one question I hear from new intrusion detection analysts is, “What should I be looking for?” We’re going to try and answer that question today.

In this series, we will take a look at portable executable files and highlight key differentiators to look for that can help you say, with confidence, whether or not an executable is legitimate or malicious.

Roadmap

The following list is the roadmap to where this series is going to go and what topics we are going to discuss. New posts will be released weekly on Monday in accordance with the roadmap and will show up in the “Posts” section below. All posts in this series will have the category “Executable Features Series.”

Entropy

PE Checksum

Digital Signatures

Function Imports/Exports

32-bit vs 64-bit

DLL Characteristics

Compiler

File Info

Sections

Cryptography

Antidebug

Disassembly Average Block Size Entry Block Size Entry Block Instructions Disassembly Errors Distribution of Instructions

Strings

Posts