T1027.001 Microsoft Sentinel · KQL

Detect Binary Padding in Microsoft Sentinel

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures. Known threat actors including APT29, Kimsuky, Emotet, QakBot, Black Basta, and Akira have employed this technique to inflate file sizes and change file hashes.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.001 Binary Padding
Canonical reference
https://attack.mitre.org/techniques/T1027/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let LargePEThresholdMB = 50;
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".sys"
| where FileSize > (LargePEThresholdMB * 1024 * 1024)
| join kind=leftouter (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | project DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, SHA256
) on DeviceName
| where FolderPath !startswith "C:\\Windows\\"
    and FolderPath !startswith "C:\\Program Files\\"
    and FolderPath !startswith "C:\\Program Files (x86)\\"
| project Timestamp, DeviceName, FolderPath, FileName, FileSize,
         InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| extend FileSizeMB = round(toreal(FileSize) / (1024*1024), 1)
| sort by FileSizeMB desc
medium severity medium confidence

Detects unusually large PE files (executables, DLLs, drivers) created in non-standard locations using Microsoft Defender for Endpoint DeviceFileEvents. Adversaries pad binaries to exceed AV scanning size limits (e.g., VirusTotal's 650MB cap) and change file hashes. Focuses on files dropped outside standard Windows/Program Files directories, which is where legitimate oversized binaries rarely appear. FileSize threshold set at 50MB; tune upward in environments with large legitimate installers.

Data Sources

File: File CreationMicrosoft Defender for Endpoint

Required Tables

DeviceFileEventsDeviceProcessEvents

False Positives & Tuning

  • Large legitimate software installers (e.g., game installers, IDE packages, database engines) dropped in temp or user directories during installation
  • Backup or archive tools writing large consolidated files that happen to use .exe or .dll extensions
  • Software development workflows where compiled binaries with debug symbols legitimately exceed size thresholds
  • Container or VM image export utilities writing large binary blobs with executable extensions
Download portable Sigma rule (.yml)

Other platforms for T1027.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inflate Executable with Null Bytes using fsutil

    Expected signal: Sysmon Event ID 11: File Create for padded_calc.exe in %TEMP%. Sysmon Event ID 1: Process Create for fsutil.exe with 'file seteof' command. Security Event ID 4688 (if enabled): fsutil.exe execution. The file hash of padded_calc.exe will differ from the original calc.exe hash.

  2. Test 2Append Random Bytes to Binary Using PowerShell

    Expected signal: Sysmon Event ID 11: File Create for padded_notepad.exe. PowerShell Script Block Logging Event ID 4104 with the Add-Content and RandomNumberGenerator commands. The file will be approximately original size + 10MB.

  3. Test 3Binary Padding with DD Command on Linux

    Expected signal: Syslog/auditd: execve syscall for cp and dd commands with their arguments. File creation event for /tmp/padded_ls. The file will be approximately 20MB larger than the original /bin/ls. The SHA256 hash will differ from the original.

  4. Test 4Verify Hash Change After Padding

    Expected signal: Sysmon Event ID 1: certutil.exe process creation with '-hashfile' argument (twice). Sysmon Event ID 11: File modification of test_calc.exe. The two certutil executions will produce different SHA256 hashes, demonstrating the hash change.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1027.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.002Software PackingT1027.005Indicator Removal from ToolsT1027.013Encrypted/Encoded FileT1566.001Spearphishing AttachmentT1204.002Malicious FileT1140Deobfuscate/Decode Files or Information

Same Tactic: Defense Evasion

Popular Detections