T1027.001 Binary Padding Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let LargePEThresholdMB = 50;
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".sys"
| where FileSize > (LargePEThresholdMB * 1024 * 1024)
| join kind=leftouter (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | project DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, SHA256
) on DeviceName
| where FolderPath !startswith "C:\\Windows\\"
    and FolderPath !startswith "C:\\Program Files\\"
    and FolderPath !startswith "C:\\Program Files (x86)\\"
| project Timestamp, DeviceName, FolderPath, FileName, FileSize,
         InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| extend FileSizeMB = round(toreal(FileSize) / (1024*1024), 1)
| sort by FileSizeMB desc

medium severity medium confidence

Data Sources

File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Large legitimate software installers (e.g., game installers, IDE packages, database engines) dropped in temp or user directories during installation
Backup or archive tools writing large consolidated files that happen to use .exe or .dll extensions
Software development workflows where compiled binaries with debug symbols legitimately exceed size thresholds
Container or VM image export utilities writing large binary blobs with executable extensions

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (TargetFilename="*.exe" OR TargetFilename="*.dll" OR TargetFilename="*.sys")
  NOT (TargetFilename="C:\\Windows\\*" OR TargetFilename="C:\\Program Files\\*" OR TargetFilename="C:\\Program Files (x86)\\*")
| eval FileSizeBytes=coalesce(file_size, 0)
| eval FileSizeMB=round(FileSizeBytes/1048576, 1)
| where FileSizeMB > 50
| table _time, host, User, TargetFilename, FileSizeMB, Image, CommandLine
| sort - FileSizeMB

medium severity medium confidence

Data Sources

File: File Creation Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Large legitimate software installers dropped in user temp directories during staged installation processes
Developer workstations building and testing large applications with debug symbols included
Backup agents writing large archive files with executable-like extensions
Software update packages that bundle multiple components into a single large binary

Elastic Security (EQL)

eql

file where event.action == "creation" and
  file.extension in~ ("exe", "dll", "sys") and
  file.size > 52428800 and
  not file.path : (
    "C:\\Windows\\*",
    "C:\\Program Files\\*",
    "C:\\Program Files (x86)\\*"
  )

medium severity medium confidence

Data Sources

Elastic Endpoint Security (Elastic Defend) Windows Sysmon via Elastic Agent Elastic Agent Fleet

Required Tables

logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

Large legitimate software installers (e.g., game engines, enterprise IDEs, CAD suites) downloaded and extracted to user temp or downloads directories by package managers or browser processes
Virtual machine guest additions or driver packages written to staging directories by hypervisor tools (VMware Tools, VirtualBox Guest Additions) with .sys extension components
Enterprise software deployment agents (SCCM, Intune, Tanium) extracting large update packages to local staging folders prior to installation under Program Files

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS UserName,
  "TargetFilename",
  LONG("FileSize") AS FileSizeBytes,
  LONG("FileSize") / 1048576 AS FileSizeMB,
  "Image" AS WritingProcess,
  "CommandLine",
  "Hashes"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND QIDNAME(qid) ILIKE '%File Create%'
  AND (
    "TargetFilename" ILIKE '%.exe'
    OR "TargetFilename" ILIKE '%.dll'
    OR "TargetFilename" ILIKE '%.sys'
  )
  AND LONG("FileSize") > 52428800
  AND "TargetFilename" NOT ILIKE 'C:\\Windows\\%'
  AND "TargetFilename" NOT ILIKE 'C:\\Program Files\\%'
  AND "TargetFilename" NOT ILIKE 'C:\\Program Files (x86)\\%'
  AND devicetime > DATEADD('hour', -24, NOW())
ORDER BY FileSizeBytes DESC
LIMIT 500

medium severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Sysmon via QRadar Windows Custom Properties DSM QRadar Log Source Extension for Sysmon

Required Tables

events

False Positives

Enterprise patch management solutions (SCCM, Ivanti) writing large application update binaries to local staging directories before moving them to final installation paths under Program Files
Software developers building large debug-mode executables with embedded PDB symbols and statically linked runtime libraries, writing output to project build directories outside system paths
Security research or malware analysis environments where large benign test samples are written to sandboxed analysis directories by orchestration tooling

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon*
| where EventCode == "11"
| where TargetFilename matches /\.(exe|dll|sys)$/i
| where !(TargetFilename matches /^C:\\Windows\\/i)
    and !(TargetFilename matches /^C:\\Program Files\\/i)
    and !(TargetFilename matches /^C:\\Program Files \(x86\)\\/i)
| where isNumeric(file_size)
| eval FileSizeBytes = toLong(file_size)
| eval FileSizeMB = round(FileSizeBytes / 1048576, 1)
| where FileSizeMB > 50
| fields _messageTime, Computer, User, TargetFilename, FileSizeMB, Image, CommandLine, Hashes
| sort by FileSizeMB desc

medium severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Windows Sysmon Operational Event Log Sumo Logic Cloud-to-Cloud Windows Event Log Source

Required Tables

Windows Sysmon Operational Log (EventCode 11) via Sumo Logic Collector

False Positives

Large game client executables or self-extracting archives written to user profile directories by gaming platforms (Steam, Epic Games Launcher, Battle.net) during installation or update
Portable application bundles that embed runtimes (Electron apps, .NET single-file executables) written to user-controlled directories without going through Program Files
IT automation agents performing software inventory or compliance scans that write large temporary executable copies to scan staging directories

Google Chronicle / SecOps

yaral

rule binary_padding_large_pe_t1027_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects PE files larger than 50MB created outside trusted Windows system directories, indicating potential binary padding (T1027.001). Used by APT29, Kimsuky, Emotet, QakBot, Black Basta, and Akira to change file hashes and evade AV file-size limits."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.001"
    mitre_attack_technique_name = "Obfuscated Files or Information: Binary Padding"
    reference = "https://attack.mitre.org/techniques/T1027/001/"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    (
      re.regex($e.target.file.full_path, `(?i)\.exe$`) or
      re.regex($e.target.file.full_path, `(?i)\.dll$`) or
      re.regex($e.target.file.full_path, `(?i)\.sys$`)
    )
    not re.regex($e.target.file.full_path, `(?i)^C:\\Windows\\`)
    not re.regex($e.target.file.full_path, `(?i)^C:\\Program Files\\`)
    not re.regex($e.target.file.full_path, `(?i)^C:\\Program Files \(x86\)\\`)
    $e.target.file.size > 52428800

  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM FILE_CREATION events Windows Sysmon via Chronicle Ingestion (Bindplane, Forwarder) Microsoft Defender for Endpoint via Chronicle Integration

Required Tables

UDM Events (metadata.event_type = FILE_CREATION)

False Positives

Large legitimate software packages or self-contained single-binary executables written to user download directories by sanctioned installation workflows (e.g., JetBrains IDE installers, Oracle JDK bundles)
Development and CI/CD build artifacts containing debug symbols or statically linked dependencies exceeding 50MB written to build output directories outside Program Files
Security tooling and forensic utilities (disk imagers, memory acquisition tools) writing large binary captures or agent executables to analysis or tool directories

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "NewExecutableWritten"
| TargetFileName = /\.(exe|dll|sys)$/i
| TargetFileName != /^C:\\Windows\\/i
| TargetFileName != /^C:\\Program Files\\/i
| TargetFileName != /^C:\\Program Files \(x86\)\\/i
| where(FileSize > 52428800)
| eval(FileSizeMB := round(FileSize / 1048576, 1))
| select([ComputerName, UserName, TargetFileName, FileSize, FileSizeMB, ImageFileName, SHA256HashData, CommandLine, ParentBaseFileName])
| sort(FileSizeMB, order=desc)

medium severity medium confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon Sensor Endpoint Telemetry

Required Tables

Falcon Telemetry (NewExecutableWritten event_simpleName)

False Positives

Large portable applications bundled as self-contained executables (Electron-based apps, single-file .NET 6+ publishes) written to user profile directories during first-run extraction by a browser or download manager
Software development toolchains writing large compiled output binaries with full debug information to project-local build directories not under Program Files
IT management and endpoint deployment tools (Tanium, BigFix) writing large software payloads to temporary staging directories before final installation

Binary Padding

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections