Back to Intelligence

Stack String Obfuscation: Detecting Advanced Malware Evasion Techniques

SA
Security Arsenal Team
May 23, 2026
6 min read

A recent analysis highlighted in the SANS ISC Diary ("An Example of Stack String in High Level Language") brings to light a persistent and evasive technique used by modern malware: stack strings. While traditionally associated with C/C++ malware, this technique is appearing more frequently in compiled binaries and even high-level language implementations to bypass basic string extraction utilities.

For security practitioners, this is a critical wake-up call. If your detection strategy relies solely on static indicators—such as scanning for "http://" or specific domain names in the .data section of a binary—you are already blind to this threat. Stack strings are constructed character-by-character on the stack at runtime, rendering them invisible to standard strings commands and many YARA rules lacking deep behavioral inspection.

Technical Analysis

What Are Stack Strings?

A stack string is a method of constructing a string dynamically at runtime rather than storing it statically in the binary's data segment.

  • Standard String: The compiler places the string (e.g., "malicious.exe") in the .data or .rdata section. Static analysis tools trivially extract it.
  • Stack String: The code pushes individual hexadecimal values or characters onto the stack (often via MOV or PUSH instructions) and builds the string in memory only when the specific function executes.

Affected Platforms & Context

While the SANS diary examines a specific sample, this technique is platform-agnostic but most prevalent in:

  • Windows PE Files: Used by loaders, droppers, and ransomware to hide C2 domains, API names (to bypass API hooking), and registry keys.
  • Obfuscators: Commercial and custom packers often employ stack strings to protect the payload's configuration.

The Defense Gap

The primary risk is the bypass of static analysis engines. Antivirus signatures and basic IoC scanners look for fixed patterns. When the "pattern" does not exist until runtime, these tools fail.

Exploitation Status

This is not a vulnerability with a CVE, but a Tactic, Technique, and Procedure (TTP). It is actively used in the wild by sophisticated threat actors to evade detection on endpoints and delay analysis during incident response.

Detection & Response

Because stack strings are a runtime behavior, effective detection requires shifting from static signature matching to behavioral monitoring and memory inspection.

SIGMA Rules

The following rules target the behavioral characteristics often associated with malware utilizing stack strings and obfuscation. Since stack strings are frequently used to resolve API functions dynamically (to bypass EDR hooks) or to load encrypted payloads, we focus on VirtualAlloc with executable permissions and unsigned binaries performing unusual activity.

YAML
---
title: Potential Stack String/Obfuscated Malware Behavior - Memory Allocation
id: 8a4b9c1d-5e6f-4a3b-8c2d-1e5f6a7b8c9d
status: experimental
description: Detects processes allocating executable memory with PAGE_EXECUTE_READWRITE protections, a common tactic for self-decoding obfuscated payloads that use stack strings or similar evasion.
references:
  - https://isc.sans.edu/diary/33008
author: Security Arsenal
date: 2025/05/23
tags:
  - attack.defense_evasion
  - attack.t1027.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - 'VirtualAlloc'
      - 'VirtualProtect'
  filter_legit:
    Image|endswith:
      - '\python.exe'
      - '\perl.exe'
      - '\ruby.exe'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate developers running test scripts
level: high
---
title: Suspicious Process Execution from Obfuscated Source
id: 9b5c0d2e-6f7a-5b4c-9d3e-2f6a7b8c9d0e
status: experimental
description: Detects execution of binaries from temporary or user directories that exhibit signs of packing (often paired with stack string obfuscation). Monitors for unsigned processes spawning from common loader locations.
references:
  - https://isc.sans.edu/diary/33008
author: Security Arsenal
date: 2025/05/23
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - '\AppData\Local\Temp\'
      - '\AppData\Roaming\'
  condition: selection
falsepositives:
  - Software installers
  - Browser updates
level: medium

KQL (Microsoft Sentinel / Defender)

This hunt query looks for processes that are likely packed or obfuscated by correlating unsigned binaries with network connections. Malware using stack strings often needs to resolve C2 addresses after decoding them in memory.

KQL — Microsoft Sentinel / Defender
// Hunt for unsigned binaries performing network activity (Potential Stack String C2 Resolution)
DeviceProcessEvents
| where InitiatingProcessFileName != "System"
| where isnull(SignerStatus) or SignerStatus != "Valid"
| join kind=inner (DeviceNetworkEvents
  | where ActionType == "ConnectionSuccess"
  | project DeviceId, InitiatingProcessFileName, RemoteUrl, RemoteIP
) on DeviceId, InitiatingProcessFileName
| summarize Count=count(), RemoteIPs=make_set(RemoteIP), RemoteUrls=make_set(RemoteUrl) by DeviceId, InitiatingProcessFileName, FolderPath
| where Count > 0
| order by Count desc

Velociraptor VQL

This artifact hunts for high-entropy executables in user directories. Stack strings and obfuscation increase the entropy of a file's data sections. This is a proactive way to find payloads that hide their strings.

VQL — Velociraptor
-- Hunt for high-entropy executables which often indicate obfuscation/stack strings
SELECT FullPath, Size, Mtime, 
       entropy(data=read_file(filename=FullPath, length=1024)) AS EntropyStart
FROM glob(globs="/*/AppData/Local/Temp/*.exe", root=prepend("C:\Users"))
WHERE EntropyStart > 7.0
-- Entropy > 7.0 suggests high randomness, common in packed/obfuscated binaries

Remediation Script (PowerShell)

Since there is no "patch" for a coding technique, remediation involves identification and isolation. Use this script to scan high-risk directories for binaries with high entropy (a strong indicator of packing/stack string usage).

PowerShell
<#
.SYNOPSIS
    Scans for high-entropy executables in user directories.
.DESCRIPTION
    Malware using stack strings often results in high entropy binaries.
    This script identifies potential threats for further analysis.
#>

$PathScope = @("$env:USERPROFILE\Downloads", "$env:TEMP", "$env:APPDATA")
$EntropyThreshold = 7.2

function Get-FileEntropy {
    param ([string]$FilePath)
    
    $Bytes = [System.IO.File]::ReadAllBytes($FilePath)
    if ($Bytes.Length -eq 0) { return 0 }
    
    $ByteCounts = @{}
    foreach ($Byte in $Bytes) {
        $ByteCounts[$Byte]++
    }
    
    $Entropy = 0.0
    foreach ($Count in $ByteCounts.Values) {
        $Probability = $Count / $Bytes.Length
        $Entropy -= $Probability * [Math]::Log($Probability, 2)
    }
    return $Entropy
}

Write-Host "[+] Scanning for high-entropy executables (Threshold: $EntropyThreshold)..." -ForegroundColor Cyan

foreach ($Path in $PathScope) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Filter *.exe -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Entropy = Get-FileEntropy -FilePath $_.FullName
            if ($Entropy -gt $EntropyThreshold) {
                Write-Host "[!] High Entropy Found: $($_.FullName) | Entropy: $([math]::Round($Entropy, 2))" -ForegroundColor Red
                # Optional: Move to quarantine or trigger alert logic here
            }
        }
    }
}
Write-Host "Scan Complete. High entropy files may indicate stack strings or packing." -ForegroundColor Green

Remediation

There is no specific configuration change to prevent a developer from writing code using stack strings. Defense relies on increasing the cost for the attacker:

  1. Enable AMSI (Anti-Malware Scan Interface): Ensure AMSI is enabled for PowerShell, .NET, and Office macros. AMSI scans content in memory after de-obfuscation (i.e., after the stack strings have been resolved), exposing the malicious intent.
  2. Hunt for Packed Binaries: Implement regular scans using the PowerShell script above or dedicated tools (like pe-sieve) to identify packed or high-entropy files in user-writable directories.
  3. Behavioral EDR Rules: Shift detection focus to what the code does (e.g., injecting into LSASS, making network connections immediately after spawning) rather than what the file looks like.
  4. Sandboxing: Ensure detonation environments use dynamic instrumentation that can hook memory access, allowing them to capture the strings as they are pushed onto the stack.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchstack-stringsobfuscationmalware-analysis

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action