T1027.001 CrowdStrike LogScale · LogScale

Detect Binary Padding in CrowdStrike LogScale

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures. Known threat actors including APT29, Kimsuky, Emotet, QakBot, Black Basta, and Akira have employed this technique to inflate file sizes and change file hashes.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.001 Binary Padding
Canonical reference
https://attack.mitre.org/techniques/T1027/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = "NewExecutableWritten"
| TargetFileName = /\.(exe|dll|sys)$/i
| TargetFileName != /^C:\\Windows\\/i
| TargetFileName != /^C:\\Program Files\\/i
| TargetFileName != /^C:\\Program Files \(x86\)\\/i
| where(FileSize > 52428800)
| eval(FileSizeMB := round(FileSize / 1048576, 1))
| select([ComputerName, UserName, TargetFileName, FileSize, FileSizeMB, ImageFileName, SHA256HashData, CommandLine, ParentBaseFileName])
| sort(FileSizeMB, order=desc)
medium severity medium confidence

Detects creation of large PE executables (>50MB) outside trusted Windows system directories using CrowdStrike Falcon's NewExecutableWritten telemetry in LogScale. The NewExecutableWritten event fires when the Falcon sensor observes a new executable file written to disk. FileSize is filtered at 52,428,800 bytes (50MB). SHA256HashData enables threat intelligence enrichment. ParentBaseFileName helps identify the process chain responsible for writing the padded binary, consistent with T1027.001 tradecraft.

Data Sources

CrowdStrike Falcon EDRCrowdStrike LogScale (Humio)Falcon Sensor Endpoint Telemetry

Required Tables

Falcon Telemetry (NewExecutableWritten event_simpleName)

False Positives & Tuning

  • Large portable applications bundled as self-contained executables (Electron-based apps, single-file .NET 6+ publishes) written to user profile directories during first-run extraction by a browser or download manager
  • Software development toolchains writing large compiled output binaries with full debug information to project-local build directories not under Program Files
  • IT management and endpoint deployment tools (Tanium, BigFix) writing large software payloads to temporary staging directories before final installation
Download portable Sigma rule (.yml)

Other platforms for T1027.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inflate Executable with Null Bytes using fsutil

    Expected signal: Sysmon Event ID 11: File Create for padded_calc.exe in %TEMP%. Sysmon Event ID 1: Process Create for fsutil.exe with 'file seteof' command. Security Event ID 4688 (if enabled): fsutil.exe execution. The file hash of padded_calc.exe will differ from the original calc.exe hash.

  2. Test 2Append Random Bytes to Binary Using PowerShell

    Expected signal: Sysmon Event ID 11: File Create for padded_notepad.exe. PowerShell Script Block Logging Event ID 4104 with the Add-Content and RandomNumberGenerator commands. The file will be approximately original size + 10MB.

  3. Test 3Binary Padding with DD Command on Linux

    Expected signal: Syslog/auditd: execve syscall for cp and dd commands with their arguments. File creation event for /tmp/padded_ls. The file will be approximately 20MB larger than the original /bin/ls. The SHA256 hash will differ from the original.

  4. Test 4Verify Hash Change After Padding

    Expected signal: Sysmon Event ID 1: certutil.exe process creation with '-hashfile' argument (twice). Sysmon Event ID 11: File modification of test_calc.exe. The two certutil executions will produce different SHA256 hashes, demonstrating the hash change.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1027.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.002Software PackingT1027.005Indicator Removal from ToolsT1027.013Encrypted/Encoded FileT1566.001Spearphishing AttachmentT1204.002Malicious FileT1140Deobfuscate/Decode Files or Information

Same Tactic: Defense Evasion

Popular Detections