T1027.016

Junk Code Insertion

Adversaries may insert junk code or dead code into malware to obfuscate its functionality, hinder static analysis, and evade signature-based detections. Junk code includes NOP (No-Operation) sleds, dummy API calls, excessive mathematical operations, infinite loops that are never reached, and random garbage instructions interspersed between legitimate code. Unlike Binary Padding (T1027.001), which changes file size/hash, junk code insertion specifically targets analyst workflow and automated analysis engines. Real-world actors including Maze ransomware, FIN7, Gamaredon Group, APT32, Kimsuky, and StrelaStealer have employed this technique.

Microsoft Sentinel / Defender

kusto

// T1027.016 - Junk Code Insertion Detection
// Detects behavioral and artifact indicators of binaries using junk code obfuscation
// Primary signals: high entropy PE files, unusual section characteristics, sandbox evasion patterns
let SuspiciousParents = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe", "cmd.exe", "rundll32.exe", "regsvr32.exe"]);
let KnownPackerSections = dynamic([".ndata", ".MPRESS", ".petite", ".pec", "UPX0", "UPX1", ".rsrc"]);
// Signal 1: Newly created executables with suspicious section names written by Office or script interpreters
let NewExecutablesFromSuspiciousParents = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".scr"
| where InitiatingProcessFileName has_any (SuspiciousParents)
| project Timestamp, DeviceName, AccountName, FolderPath, FileName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         SHA256, FileSize, Signal="NewExeFromSuspiciousParent";
// Signal 2: Processes with very high CPU usage and low network/file activity (junk computation loops)
let HighCPULowIO = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessVersionInfoCompanyName == "" or isnull(ProcessVersionInfoCompanyName)
| where ProcessVersionInfoProductName == "" or isnull(ProcessVersionInfoProductName)
| where not (FolderPath has_any (@"C:\Windows\System32", @"C:\Windows\SysWOW64", @"C:\Program Files", @"C:\Program Files (x86)"))
| where FileName endswith ".exe" or FileName endswith ".scr"
| project Timestamp, DeviceName, AccountName, FolderPath, FileName,
         ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, SHA256, ProcessId,
         Signal="UnsignedBinaryNoVersionInfo";
// Signal 3: Script files with excessive concatenation/padding patterns indicating junk string insertion
let SuspiciousScriptExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "cmd.exe")
| where ProcessCommandLine matches regex @"(\+\s*['"][a-zA-Z0-9]{1,3}['"]\s*){5,}"
    or ProcessCommandLine matches regex @"([Cc]hr\([0-9]+\)\s*[&\+]\s*){5,}"
    or ProcessCommandLine matches regex @"(String\.Concat|\[string\]::join).*(['"][a-zA-Z]{1,2}['"].*){10,}"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         SHA256, Signal="ExcessiveStringConcatenation";
// Signal 4: Execution from temp/user directories with no digital signature indicators
let TempDirExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (@"\Temp\\", @"\AppData\Local\\", @"\AppData\Roaming\\", @"\Downloads\\", @"\Users\Public\")
| where FileName endswith ".exe" or FileName endswith ".scr" or FileName endswith ".com"
| where ProcessVersionInfoCompanyName == "" or isnull(ProcessVersionInfoCompanyName)
| where InitiatingProcessFileName has_any (SuspiciousParents)
| project Timestamp, DeviceName, AccountName, FolderPath, FileName,
         ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, SHA256, Signal="UnsignedTempDirExecution";
// Combine all signals
NewExecutablesFromSuspiciousParents
| union HighCPULowIO
| union SuspiciousScriptExecution
| union TempDirExecution
| summarize Signals=make_set(Signal), AlertCount=count(),
           EarliestActivity=min(Timestamp), LatestActivity=max(Timestamp),
           CommandLines=make_set(ProcessCommandLine, 5),
           Hashes=make_set(SHA256, 5)
   by DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName
| extend SignalCount = array_length(Signals)
| where SignalCount >= 1
| sort by SignalCount desc, AlertCount desc

medium severity low confidence

Data Sources

File: File Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate software installers that extract temporary executables to %TEMP% directories during installation (e.g., NSIS, Inno Setup installers)
Developer tools and build systems (MSBuild, Roslyn compilers) generating intermediate binaries without version metadata in temp directories
Scripting automation tools using heavy string concatenation for legitimate data manipulation or template generation
Third-party software lacking version information metadata (many open-source or legacy applications omit this field)
Security testing tools and penetration testing frameworks that intentionally lack signatures

Splunk

spl

| union
[
  search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    (TargetFilename="*.exe" OR TargetFilename="*.dll" OR TargetFilename="*.scr")
    (Image="*\\winword.exe" OR Image="*\\excel.exe" OR Image="*\\powerpnt.exe"
     OR Image="*\\outlook.exe" OR Image="*\\mshta.exe" OR Image="*\\wscript.exe"
     OR Image="*\\cscript.exe" OR Image="*\\cmd.exe" OR Image="*\\rundll32.exe")
  | eval Signal="NewExeFromSuspiciousParent"
  | eval TargetPath=TargetFilename
  | table _time, host, User, Image, TargetFilename, Hashes, Signal
]
[
  search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\Temp\\*" OR Image="*\\AppData\\Local\\*" OR Image="*\\AppData\\Roaming\\*"
     OR Image="*\\Downloads\\*" OR Image="*\\Users\\Public\\*")
    (Image="*.exe" OR Image="*.scr" OR Image="*.com")
    (ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe" OR ParentImage="*\\powerpnt.exe"
     OR ParentImage="*\\mshta.exe" OR ParentImage="*\\wscript.exe" OR ParentImage="*\\cscript.exe")
  | eval Signal="UnsignedTempDirExecution"
  | eval TargetPath=Image
  | table _time, host, User, Image, CommandLine, ParentImage, Hashes, Signal
]
[
  search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\wscript.exe"
     OR Image="*\\cscript.exe" OR Image="*\\cmd.exe")
  | eval cmdlow=lower(CommandLine)
  | where match(cmdlow, "(chr\\(\\d+\\)(\\s*[&+]\\s*chr\\(\\d+\\)){4,})")
     OR match(cmdlow, "(\\+\\s*['\"][a-zA-Z0-9]{1,3}['\"]\\s*){5,}")
     OR match(cmdlow, "(string\\.concat|\\[string\\]::join)")
  | eval Signal="ExcessiveStringConcatenation"
  | eval TargetPath=Image
  | table _time, host, User, Image, CommandLine, ParentImage, Hashes, Signal
]
| stats values(Signal) as Signals, count as AlertCount,
        earliest(_time) as EarliestActivity, latest(_time) as LatestActivity,
        values(CommandLine) as CommandLines, values(Hashes) as FileHashes
  by host, User, Image
| eval SignalCount=mvcount(Signals)
| where SignalCount >= 1
| eval RiskScore=case(
    SignalCount >= 3, "High",
    SignalCount == 2, "Medium",
    SignalCount == 1, "Low"
  )
| table _time, host, User, Image, Signals, SignalCount, RiskScore, AlertCount, EarliestActivity, LatestActivity, CommandLines, FileHashes
| sort - SignalCount AlertCount

medium severity low confidence

Data Sources

File: File Creation Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software installers that extract temporary executables to %TEMP% directories during installation (e.g., NSIS, Inno Setup installers)
Developer tools and build systems (MSBuild, Roslyn compilers) generating intermediate binaries without version metadata in temp directories
Scripting automation tools using heavy string concatenation for legitimate data manipulation or template generation
Third-party software lacking version information metadata (many open-source or legacy applications omit this field)
Security testing tools and penetration testing frameworks that intentionally lack signatures

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  "username" AS Username,
  "hostname" AS Hostname,
  "FileName" AS ProcessName,
  "CommandLine" AS CommandLine,
  "ParentProcessName" AS ParentProcess,
  "FilePath" AS FilePath,
  CATEGORYNAME(category) AS Category,
  logsourcetypeid AS LogSourceType,
  COUNT(*) AS SignalCount,
  ARRAY_AGG(QIDNAME(qid)) AS SignalTypes
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 396)
  AND starttime > NOW() - 86400 SECONDS
  AND (
    -- Signal 1: Executable created by Office/script interpreter (Sysmon EID 11)
    (qid = (SELECT qid FROM QidMap WHERE QIDNAME = 'SysmonFileCreate') AND
     ("TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll' OR "TargetFilename" ILIKE '%.scr') AND
     ("Image" ILIKE '%\\winword.exe' OR "Image" ILIKE '%\\excel.exe' OR "Image" ILIKE '%\\powerpnt.exe'
      OR "Image" ILIKE '%\\outlook.exe' OR "Image" ILIKE '%\\mshta.exe' OR "Image" ILIKE '%\\wscript.exe'
      OR "Image" ILIKE '%\\cscript.exe' OR "Image" ILIKE '%\\cmd.exe' OR "Image" ILIKE '%\\rundll32.exe'))
    OR
    -- Signal 2: Unsigned binary executing from temp/writable dirs spawned by suspicious parent (Sysmon EID 1)
    (qid = (SELECT qid FROM QidMap WHERE QIDNAME = 'SysmonProcessCreate') AND
     ("Image" ILIKE '%\\Temp\\%' OR "Image" ILIKE '%\\AppData\\Local\\%' OR "Image" ILIKE '%\\AppData\\Roaming\\%'
      OR "Image" ILIKE '%\\Downloads\\%' OR "Image" ILIKE '%\\Users\\Public\\%') AND
     ("Image" ILIKE '%.exe' OR "Image" ILIKE '%.scr' OR "Image" ILIKE '%.com') AND
     ("ParentImage" ILIKE '%\\winword.exe' OR "ParentImage" ILIKE '%\\excel.exe' OR "ParentImage" ILIKE '%\\mshta.exe'
      OR "ParentImage" ILIKE '%\\wscript.exe' OR "ParentImage" ILIKE '%\\cscript.exe'))
    OR
    -- Signal 3: Script interpreter with excessive string concat patterns (Sysmon EID 1)
    (qid = (SELECT qid FROM QidMap WHERE QIDNAME = 'SysmonProcessCreate') AND
     ("Image" ILIKE '%\\powershell.exe' OR "Image" ILIKE '%\\pwsh.exe' OR "Image" ILIKE '%\\wscript.exe'
      OR "Image" ILIKE '%\\cscript.exe' OR "Image" ILIKE '%\\cmd.exe') AND
     (LOWER("CommandLine") MATCHES '.*chr\\(\\d+\\)(\\s*[&+]\\s*chr\\(\\d+\\)){4,}.*'
      OR LOWER("CommandLine") MATCHES '.*(\\+\\s*[a-z0-9]{1,3}\\s*){5,}.*'
      OR LOWER("CommandLine") MATCHES '.*(string\\.concat|\\[string\\]::join).*'))
  )
GROUP BY
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss'), sourceip, "username", "hostname",
  "FileName", "CommandLine", "ParentProcessName", "FilePath", CATEGORYNAME(category), logsourcetypeid
HAVING COUNT(*) >= 1
ORDER BY SignalCount DESC, EventTime DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar with Sysmon log source Windows Security Event log source QRadar Universal DSM for Windows

Required Tables

events

False Positives

Legitimate software deployment tools (SCCM, PDQ Deploy) that write executables to temp directories
Build pipelines or CI agents running on Windows workstations that compile and execute binaries from temp locations
IT automation scripts using PowerShell with extensive string operations for configuration tasks
Scripted application installers that use mshta.exe or wscript.exe as part of their setup process

Sumo Logic CSE

sql

// T1027.016 Junk Code Insertion - Sumo Logic CSE Detection
// Signal 1: Executable created by suspicious parent process
(_sourceCategory="*sysmon*" OR _sourceCategory="*windows*")
| where EventID = "11"
| where (TargetFilename endswith ".exe" OR TargetFilename endswith ".dll" OR TargetFilename endswith ".scr")
| where (Image matches "*\\winword.exe" OR Image matches "*\\excel.exe" OR Image matches "*\\powerpnt.exe"
         OR Image matches "*\\outlook.exe" OR Image matches "*\\mshta.exe" OR Image matches "*\\wscript.exe"
         OR Image matches "*\\cscript.exe" OR Image matches "*\\cmd.exe" OR Image matches "*\\rundll32.exe"
         OR Image matches "*\\regsvr32.exe")
| fields _time, Computer, User, Image, TargetFilename, Hashes
| withtime _time
| count_distinct(TargetFilename) as FileCount, values(Hashes) as Hashes by Computer, User, Image
| where FileCount >= 1
| eval Signal = "NewExeFromSuspiciousParent"

// Signal 2: Script process with junk string concatenation patterns
// Run separately and union
(_sourceCategory="*sysmon*" OR _sourceCategory="*windows*")
| where EventID = "1"
| where (Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe"
         OR Image matches "*\\wscript.exe" OR Image matches "*\\cscript.exe" OR Image matches "*\\cmd.exe")
| where (CommandLine matches /(?i)(chr\(\d+\)(\s*[&+]\s*chr\(\d+\)){4,})/
         OR CommandLine matches /(\+\s*['"]{1}[a-zA-Z0-9]{1,3}['"]{1}\s*){5,}/
         OR CommandLine matches /(?i)(string\.concat|\[string\]::join)/)
| fields _time, Computer, User, Image, CommandLine, ParentImage, Hashes
| eval Signal = "ExcessiveStringConcatenation"
| count by Computer, User, Image, Signal

// Signal 3: Unsigned binary in temp/writable dir spawned by suspicious parent
(_sourceCategory="*sysmon*" OR _sourceCategory="*windows*")
| where EventID = "1"
| where (Image matches "*\\Temp\\*" OR Image matches "*\\AppData\\Local\\*"
         OR Image matches "*\\AppData\\Roaming\\*" OR Image matches "*\\Downloads\\*"
         OR Image matches "*\\Users\\Public\\*")
| where (Image matches "*.exe" OR Image matches "*.scr" OR Image matches "*.com")
| where (ParentImage matches "*\\winword.exe" OR ParentImage matches "*\\excel.exe"
         OR ParentImage matches "*\\powerpnt.exe" OR ParentImage matches "*\\mshta.exe"
         OR ParentImage matches "*\\wscript.exe" OR ParentImage matches "*\\cscript.exe")
| fields _time, Computer, User, Image, CommandLine, ParentImage, Hashes
| eval Signal = "UnsignedTempDirExecution"
| count by Computer, User, Image, Signal

// Aggregate and score across signals
| append [signals combined above via union in real deployment]
| stats count as AlertCount, values(Signal) as Signals, min(_time) as EarliestActivity,
        max(_time) as LatestActivity, values(CommandLine) as CommandLines, values(Hashes) as FileHashes
  by Computer, User, Image
| eval SignalCount = arraylength(Signals)
| where SignalCount >= 1
| eval RiskScore = if(SignalCount >= 3, "High", if(SignalCount == 2, "Medium", "Low"))
| sort by SignalCount desc, AlertCount desc

high severity medium confidence

Data Sources

Sumo Logic with Windows Sysmon collector Sumo Logic CSE (Cloud SIEM Enterprise) Windows Event Forwarder to Sumo Logic

Required Tables

Sysmon operational event log (_sourceCategory containing sysmon or windows)

False Positives

Legitimate packaged applications that extract and execute binaries from AppData during self-updating (Electron apps, Slack, VS Code)
Administrative PowerShell scripts performing string-heavy operations for configuration management or data transformation
Security scanning tools (e.g., vulnerability scanners) that drop temporary executables for assessment
Software development workflows where IDEs or build tools spawn compilers from temp directories

Google Chronicle / SecOps

yaral

rule t1027_016_junk_code_insertion {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1027.016 Junk Code Insertion via behavioral indicators: executable file creation by Office/script interpreters, unsigned binary execution from writable paths, and excessive string concatenation in script command lines"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.016"
    reference = "https://attack.mitre.org/techniques/T1027/016/"
    created = "2026-04-13"
    version = "1.0"

  events:
    // Signal 1: File creation event - executable dropped by suspicious parent
    $file_event.metadata.event_type = "FILE_CREATION"
    $file_event.principal.hostname = $hostname
    $file_event.principal.user.userid = $username
    (
      $file_event.target.file.full_path = /(?i)\.exe$/ or
      $file_event.target.file.full_path = /(?i)\.dll$/ or
      $file_event.target.file.full_path = /(?i)\.scr$/
    )
    (
      $file_event.principal.process.file.full_path = /(?i)\\winword\.exe$/ or
      $file_event.principal.process.file.full_path = /(?i)\\excel\.exe$/ or
      $file_event.principal.process.file.full_path = /(?i)\\powerpnt\.exe$/ or
      $file_event.principal.process.file.full_path = /(?i)\\outlook\.exe$/ or
      $file_event.principal.process.file.full_path = /(?i)\\mshta\.exe$/ or
      $file_event.principal.process.file.full_path = /(?i)\\wscript\.exe$/ or
      $file_event.principal.process.file.full_path = /(?i)\\cscript\.exe$/ or
      $file_event.principal.process.file.full_path = /(?i)\\cmd\.exe$/ or
      $file_event.principal.process.file.full_path = /(?i)\\rundll32\.exe$/ or
      $file_event.principal.process.file.full_path = /(?i)\\regsvr32\.exe$/
    )

    // Signal 2: Process launch from temp/writable dir with suspicious parent
    $proc_event.metadata.event_type = "PROCESS_LAUNCH"
    $proc_event.principal.hostname = $hostname
    $proc_event.principal.user.userid = $username
    (
      $proc_event.target.process.file.full_path = /(?i)\\Temp\\/ or
      $proc_event.target.process.file.full_path = /(?i)\\AppData\\Local\\/ or
      $proc_event.target.process.file.full_path = /(?i)\\AppData\\Roaming\\/ or
      $proc_event.target.process.file.full_path = /(?i)\\Downloads\\/ or
      $proc_event.target.process.file.full_path = /(?i)\\Users\\Public\\/
    )
    (
      $proc_event.target.process.file.full_path = /(?i)\.exe$/ or
      $proc_event.target.process.file.full_path = /(?i)\.scr$/ or
      $proc_event.target.process.file.full_path = /(?i)\.com$/
    )
    not $proc_event.target.process.file.full_path = /(?i)C:\\Windows\\(System32|SysWOW64)\\/
    (
      $proc_event.principal.process.file.full_path = /(?i)\\winword\.exe$/ or
      $proc_event.principal.process.file.full_path = /(?i)\\excel\.exe$/ or
      $proc_event.principal.process.file.full_path = /(?i)\\mshta\.exe$/ or
      $proc_event.principal.process.file.full_path = /(?i)\\wscript\.exe$/ or
      $proc_event.principal.process.file.full_path = /(?i)\\cscript\.exe$/
    )

  match:
    $hostname, $username over 1h

  condition:
    $file_event or $proc_event

  outcome:
    $risk_score = max(
      if($file_event.metadata.event_type = "FILE_CREATION", 40, 0) +
      if($proc_event.metadata.event_type = "PROCESS_LAUNCH", 50, 0)
    )
    $mitre_technique = "T1027.016"
    $file_path = array_distinct($file_event.target.file.full_path)
    $process_path = array_distinct($proc_event.target.process.file.full_path)
    $parent_process = array_distinct($proc_event.principal.process.file.full_path)
}

high severity medium confidence

Data Sources

Google Chronicle with Windows Sysmon UDM ingestion Chronicle Unified Data Model (UDM) events Google Chronicle with Microsoft Defender for Endpoint integration

Required Tables

UDM FILE_CREATION events UDM PROCESS_LAUNCH events

False Positives

Electron-based desktop applications (Teams, Slack, VS Code) that write and execute binaries from AppData directories during auto-update
Legitimate document-embedded macros used in approved business workflows that invoke helper executables
IT management tools that use Office automation to deploy or configure software
Security awareness training platforms that simulate phishing via Office macro execution

CrowdStrike LogScale (CQL)

cql

// T1027.016 Junk Code Insertion - CrowdStrike LogScale (Falcon)
// Signal 1: Executable written to disk by Office/script interpreter parent
#event_simpleName = WriteFile
| CommandLine = *
| ParentBaseFileName in ["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
                         "mshta.exe", "wscript.exe", "cscript.exe", "cmd.exe",
                         "rundll32.exe", "regsvr32.exe"]
| TargetFileName = /(?\.exe$|\.dll$|\.scr$)/i
| eval Signal = "NewExeFromSuspiciousParent"
| table([_timems, ComputerName, UserName, ParentBaseFileName, TargetFileName, SHA256HashData, Signal])

// Signal 2: Process launched from temp/user-writable path with suspicious parent
| union
[
  #event_simpleName = ProcessRollup2
  | ImageFileName = /(?i)(\\Temp\\|\\AppData\\Local\\|\\AppData\\Roaming\\|\\Downloads\\|\\Users\\Public\\)/
  | ImageFileName = /(?i)(\.(exe|scr|com))$/
  | ParentBaseFileName in ["winword.exe", "excel.exe", "powerpnt.exe",
                           "mshta.exe", "wscript.exe", "cscript.exe"]
  | not ImageFileName = /(?i)C:\\Windows\\(System32|SysWOW64)\\/
  | eval Signal = "UnsignedTempDirExecution"
  | table([_timems, ComputerName, UserName, ParentBaseFileName, ImageFileName, CommandLine, SHA256HashData, Signal])
]

// Signal 3: Script interpreter with junk string concatenation patterns
| union
[
  #event_simpleName = ProcessRollup2
  | BaseFileName in ["powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "cmd.exe"]
  | CommandLine = /(?i)(chr\(\d+\)(\s*[&+]\s*chr\(\d+\)){4,})|(\+\s*['"][a-zA-Z0-9]{1,3}['"]\s*){5,}|(string\.concat|\[string\]::join)/
  | eval Signal = "ExcessiveStringConcatenation"
  | table([_timems, ComputerName, UserName, BaseFileName, CommandLine, ParentBaseFileName, SHA256HashData, Signal])
]

// Aggregate signals per host/user/process
| groupBy([ComputerName, UserName, ImageFileName], function=[
    count() as AlertCount,
    collect(Signal) as Signals,
    min(_timems) as EarliestActivity,
    max(_timems) as LatestActivity,
    collect(CommandLine, limit=5) as CommandLines,
    collect(SHA256HashData, limit=5) as Hashes
  ])
| eval SignalCount = array_length(Signals)
| where SignalCount >= 1
| eval RiskScore = case(
    SignalCount >= 3, "High",
    SignalCount == 2, "Medium",
    true(), "Low"
  )
| sort(field=SignalCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR with Sysmon-equivalent telemetry CrowdStrike Falcon Data Replicator (FDR) CrowdStrike LogScale (Humio) SIEM

Required Tables

ProcessRollup2 Falcon events WriteFile Falcon events NetworkConnectIP4 Falcon events (optional enrichment)

False Positives

CrowdStrike Falcon sensor itself performing real-time monitoring may trigger WriteFile detections for quarantined file copies
Software packaging tools (WiX, NSIS, Inno Setup) that extract and execute component binaries from temp directories
Automated testing frameworks (Selenium, Playwright) invoked from Office-based test orchestration scripts
Enterprise software with legitimate macro-driven deployment workflows approved by IT security

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1027.016 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Junk Code Insertion

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections