T1027.001 Sumo Logic CSE · Sumo

Detect Binary Padding in Sumo Logic CSE

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures. Known threat actors including APT29, Kimsuky, Emotet, QakBot, Black Basta, and Akira have employed this technique to inflate file sizes and change file hashes.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.001 Binary Padding
Canonical reference
https://attack.mitre.org/techniques/T1027/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon*
| where EventCode == "11"
| where TargetFilename matches /\.(exe|dll|sys)$/i
| where !(TargetFilename matches /^C:\\Windows\\/i)
    and !(TargetFilename matches /^C:\\Program Files\\/i)
    and !(TargetFilename matches /^C:\\Program Files \(x86\)\\/i)
| where isNumeric(file_size)
| eval FileSizeBytes = toLong(file_size)
| eval FileSizeMB = round(FileSizeBytes / 1048576, 1)
| where FileSizeMB > 50
| fields _messageTime, Computer, User, TargetFilename, FileSizeMB, Image, CommandLine, Hashes
| sort by FileSizeMB desc
medium severity medium confidence

Detects large PE binary creation events (>50MB) via Sysmon EventCode 11 in Sumo Logic. Parses file_size as a numeric field and filters for .exe, .dll, and .sys files written outside trusted Windows system paths. Binary padding (T1027.001) is used by multiple threat actor groups to inflate executable size, change file hashes, and evade static signature detection. The Hashes field is included to enable downstream threat intelligence correlation.

Data Sources

Sumo Logic Installed Collector (Windows)Windows Sysmon Operational Event LogSumo Logic Cloud-to-Cloud Windows Event Log Source

Required Tables

Windows Sysmon Operational Log (EventCode 11) via Sumo Logic Collector

False Positives & Tuning

  • Large game client executables or self-extracting archives written to user profile directories by gaming platforms (Steam, Epic Games Launcher, Battle.net) during installation or update
  • Portable application bundles that embed runtimes (Electron apps, .NET single-file executables) written to user-controlled directories without going through Program Files
  • IT automation agents performing software inventory or compliance scans that write large temporary executable copies to scan staging directories
Download portable Sigma rule (.yml)

Other platforms for T1027.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inflate Executable with Null Bytes using fsutil

    Expected signal: Sysmon Event ID 11: File Create for padded_calc.exe in %TEMP%. Sysmon Event ID 1: Process Create for fsutil.exe with 'file seteof' command. Security Event ID 4688 (if enabled): fsutil.exe execution. The file hash of padded_calc.exe will differ from the original calc.exe hash.

  2. Test 2Append Random Bytes to Binary Using PowerShell

    Expected signal: Sysmon Event ID 11: File Create for padded_notepad.exe. PowerShell Script Block Logging Event ID 4104 with the Add-Content and RandomNumberGenerator commands. The file will be approximately original size + 10MB.

  3. Test 3Binary Padding with DD Command on Linux

    Expected signal: Syslog/auditd: execve syscall for cp and dd commands with their arguments. File creation event for /tmp/padded_ls. The file will be approximately 20MB larger than the original /bin/ls. The SHA256 hash will differ from the original.

  4. Test 4Verify Hash Change After Padding

    Expected signal: Sysmon Event ID 1: certutil.exe process creation with '-hashfile' argument (twice). Sysmon Event ID 11: File modification of test_calc.exe. The two certutil executions will produce different SHA256 hashes, demonstrating the hash change.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1027.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.002Software PackingT1027.005Indicator Removal from ToolsT1027.013Encrypted/Encoded FileT1566.001Spearphishing AttachmentT1204.002Malicious FileT1140Deobfuscate/Decode Files or Information

Same Tactic: Defense Evasion

Popular Detections