T1027.001 Splunk · SPL

Detect Binary Padding in Splunk

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures. Known threat actors including APT29, Kimsuky, Emotet, QakBot, Black Basta, and Akira have employed this technique to inflate file sizes and change file hashes.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.001 Binary Padding
Canonical reference
https://attack.mitre.org/techniques/T1027/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (TargetFilename="*.exe" OR TargetFilename="*.dll" OR TargetFilename="*.sys")
  NOT (TargetFilename="C:\\Windows\\*" OR TargetFilename="C:\\Program Files\\*" OR TargetFilename="C:\\Program Files (x86)\\*")
| eval FileSizeBytes=coalesce(file_size, 0)
| eval FileSizeMB=round(FileSizeBytes/1048576, 1)
| where FileSizeMB > 50
| table _time, host, User, TargetFilename, FileSizeMB, Image, CommandLine
| sort - FileSizeMB
medium severity medium confidence

Detects creation of large PE files outside standard system directories using Sysmon Event ID 11 (File Create). Sysmon can be configured to log file sizes for created files. Filters for executables and DLLs exceeding 50MB created in user-writable paths, which is anomalous for most endpoint environments. Adversaries inflate binary sizes to evade AV tools with hard file size scanning limits.

Data Sources

File: File CreationSysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Large legitimate software installers dropped in user temp directories during staged installation processes
  • Developer workstations building and testing large applications with debug symbols included
  • Backup agents writing large archive files with executable-like extensions
  • Software update packages that bundle multiple components into a single large binary
Download portable Sigma rule (.yml)

Other platforms for T1027.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inflate Executable with Null Bytes using fsutil

    Expected signal: Sysmon Event ID 11: File Create for padded_calc.exe in %TEMP%. Sysmon Event ID 1: Process Create for fsutil.exe with 'file seteof' command. Security Event ID 4688 (if enabled): fsutil.exe execution. The file hash of padded_calc.exe will differ from the original calc.exe hash.

  2. Test 2Append Random Bytes to Binary Using PowerShell

    Expected signal: Sysmon Event ID 11: File Create for padded_notepad.exe. PowerShell Script Block Logging Event ID 4104 with the Add-Content and RandomNumberGenerator commands. The file will be approximately original size + 10MB.

  3. Test 3Binary Padding with DD Command on Linux

    Expected signal: Syslog/auditd: execve syscall for cp and dd commands with their arguments. File creation event for /tmp/padded_ls. The file will be approximately 20MB larger than the original /bin/ls. The SHA256 hash will differ from the original.

  4. Test 4Verify Hash Change After Padding

    Expected signal: Sysmon Event ID 1: certutil.exe process creation with '-hashfile' argument (twice). Sysmon Event ID 11: File modification of test_calc.exe. The two certutil executions will produce different SHA256 hashes, demonstrating the hash change.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1027.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.002Software PackingT1027.005Indicator Removal from ToolsT1027.013Encrypted/Encoded FileT1566.001Spearphishing AttachmentT1204.002Malicious FileT1140Deobfuscate/Decode Files or Information

Same Tactic: Defense Evasion

Popular Detections