I have played with this before, the most effective method I found of blocking these was looking for the CAST statement itself.
The statement at least from the ones that I was playing with all had a “CAST”, “SET”, “VARCHAR”, and “EXEC”. I found that some of vendors seem to be looking for the HEX or some mix because I made variations of the HEX made over and over again until it made its way through with the same SELECT statement. I found the best way to detect these events was to look for the “CAST” with the other markers, in my case there was no use for “CAST” in my network so I just started to alert on all of that.
This is a good break down and decode, its worth reading!