T1027.001 IBM QRadar · QRadar

Detect Binary Padding in IBM QRadar

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures. Known threat actors including APT29, Kimsuky, Emotet, QakBot, Black Basta, and Akira have employed this technique to inflate file sizes and change file hashes.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.001 Binary Padding
Canonical reference
https://attack.mitre.org/techniques/T1027/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS UserName,
  "TargetFilename",
  LONG("FileSize") AS FileSizeBytes,
  LONG("FileSize") / 1048576 AS FileSizeMB,
  "Image" AS WritingProcess,
  "CommandLine",
  "Hashes"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND QIDNAME(qid) ILIKE '%File Create%'
  AND (
    "TargetFilename" ILIKE '%.exe'
    OR "TargetFilename" ILIKE '%.dll'
    OR "TargetFilename" ILIKE '%.sys'
  )
  AND LONG("FileSize") > 52428800
  AND "TargetFilename" NOT ILIKE 'C:\\Windows\\%'
  AND "TargetFilename" NOT ILIKE 'C:\\Program Files\\%'
  AND "TargetFilename" NOT ILIKE 'C:\\Program Files (x86)\\%'
  AND devicetime > DATEADD('hour', -24, NOW())
ORDER BY FileSizeBytes DESC
LIMIT 500
medium severity medium confidence

Detects oversized PE file creation (>50MB) via Sysmon EventCode 11 (FileCreate) in IBM QRadar AQL. Queries the events table scoped to Sysmon log sources, filtering for .exe/.dll/.sys files exceeding 50MB outside trusted system directories. Uses LONG() casting for reliable numeric comparison of the FileSize custom property extracted by the Sysmon DSM. Binary padding (T1027.001) is used by threat actors to change file hashes and evade file-size-limited AV scanners.

Data Sources

IBM QRadar SIEMMicrosoft Sysmon via QRadar Windows Custom Properties DSMQRadar Log Source Extension for Sysmon

Required Tables

events

False Positives & Tuning

  • Enterprise patch management solutions (SCCM, Ivanti) writing large application update binaries to local staging directories before moving them to final installation paths under Program Files
  • Software developers building large debug-mode executables with embedded PDB symbols and statically linked runtime libraries, writing output to project build directories outside system paths
  • Security research or malware analysis environments where large benign test samples are written to sandboxed analysis directories by orchestration tooling
Download portable Sigma rule (.yml)

Other platforms for T1027.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inflate Executable with Null Bytes using fsutil

    Expected signal: Sysmon Event ID 11: File Create for padded_calc.exe in %TEMP%. Sysmon Event ID 1: Process Create for fsutil.exe with 'file seteof' command. Security Event ID 4688 (if enabled): fsutil.exe execution. The file hash of padded_calc.exe will differ from the original calc.exe hash.

  2. Test 2Append Random Bytes to Binary Using PowerShell

    Expected signal: Sysmon Event ID 11: File Create for padded_notepad.exe. PowerShell Script Block Logging Event ID 4104 with the Add-Content and RandomNumberGenerator commands. The file will be approximately original size + 10MB.

  3. Test 3Binary Padding with DD Command on Linux

    Expected signal: Syslog/auditd: execve syscall for cp and dd commands with their arguments. File creation event for /tmp/padded_ls. The file will be approximately 20MB larger than the original /bin/ls. The SHA256 hash will differ from the original.

  4. Test 4Verify Hash Change After Padding

    Expected signal: Sysmon Event ID 1: certutil.exe process creation with '-hashfile' argument (twice). Sysmon Event ID 11: File modification of test_calc.exe. The two certutil executions will produce different SHA256 hashes, demonstrating the hash change.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1027.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.002Software PackingT1027.005Indicator Removal from ToolsT1027.013Encrypted/Encoded FileT1566.001Spearphishing AttachmentT1204.002Malicious FileT1140Deobfuscate/Decode Files or Information

Same Tactic: Defense Evasion

Popular Detections