Detect Binary Padding in Google Chronicle
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures. Known threat actors including APT29, Kimsuky, Emotet, QakBot, Black Basta, and Akira have employed this technique to inflate file sizes and change file hashes.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.001 Binary Padding
- Canonical reference
- https://attack.mitre.org/techniques/T1027/001/
YARA-L Detection Query
rule binary_padding_large_pe_t1027_001 {
meta:
author = "Argus Detection Engineering"
description = "Detects PE files larger than 50MB created outside trusted Windows system directories, indicating potential binary padding (T1027.001). Used by APT29, Kimsuky, Emotet, QakBot, Black Basta, and Akira to change file hashes and evade AV file-size limits."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1027.001"
mitre_attack_technique_name = "Obfuscated Files or Information: Binary Padding"
reference = "https://attack.mitre.org/techniques/T1027/001/"
severity = "MEDIUM"
confidence = "MEDIUM"
version = "1.0"
events:
$e.metadata.event_type = "FILE_CREATION"
(
re.regex($e.target.file.full_path, `(?i)\.exe$`) or
re.regex($e.target.file.full_path, `(?i)\.dll$`) or
re.regex($e.target.file.full_path, `(?i)\.sys$`)
)
not re.regex($e.target.file.full_path, `(?i)^C:\\Windows\\`)
not re.regex($e.target.file.full_path, `(?i)^C:\\Program Files\\`)
not re.regex($e.target.file.full_path, `(?i)^C:\\Program Files \(x86\)\\`)
$e.target.file.size > 52428800
condition:
$e
}Chronicle YARA-L 2.0 rule detecting PE file creation events (FILE_CREATION) exceeding 50MB outside trusted Windows system directories. Uses UDM target.file.size (in bytes) and full_path regex matching to identify binary padding activity. Ingestion sources include Windows endpoint telemetry forwarded via Sysmon, Microsoft Defender for Endpoint, or Carbon Black through Chronicle's ingestion pipeline. File size of 52,428,800 bytes equals 50MB.
Data Sources
Required Tables
False Positives & Tuning
- Large legitimate software packages or self-contained single-binary executables written to user download directories by sanctioned installation workflows (e.g., JetBrains IDE installers, Oracle JDK bundles)
- Development and CI/CD build artifacts containing debug symbols or statically linked dependencies exceeding 50MB written to build output directories outside Program Files
- Security tooling and forensic utilities (disk imagers, memory acquisition tools) writing large binary captures or agent executables to analysis or tool directories
Other platforms for T1027.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Inflate Executable with Null Bytes using fsutil
Expected signal: Sysmon Event ID 11: File Create for padded_calc.exe in %TEMP%. Sysmon Event ID 1: Process Create for fsutil.exe with 'file seteof' command. Security Event ID 4688 (if enabled): fsutil.exe execution. The file hash of padded_calc.exe will differ from the original calc.exe hash.
- Test 2Append Random Bytes to Binary Using PowerShell
Expected signal: Sysmon Event ID 11: File Create for padded_notepad.exe. PowerShell Script Block Logging Event ID 4104 with the Add-Content and RandomNumberGenerator commands. The file will be approximately original size + 10MB.
- Test 3Binary Padding with DD Command on Linux
Expected signal: Syslog/auditd: execve syscall for cp and dd commands with their arguments. File creation event for /tmp/padded_ls. The file will be approximately 20MB larger than the original /bin/ls. The SHA256 hash will differ from the original.
- Test 4Verify Hash Change After Padding
Expected signal: Sysmon Event ID 1: certutil.exe process creation with '-hashfile' argument (twice). Sysmon Event ID 11: File modification of test_calc.exe. The two certutil executions will produce different SHA256 hashes, demonstrating the hash change.
References (6)
- https://attack.mitre.org/techniques/T1027/001/
- https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/
- https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/
- https://www.virustotal.com/en/faq/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
- https://www.mandiant.com/resources/blog/golang-internals-symbol-recovery
Unlock Pro Content
Get the full detection package for T1027.001 including response playbook, investigation guide, and atomic red team tests.