Detect Junk Code Insertion in Google Chronicle
Adversaries may insert junk code or dead code into malware to obfuscate its functionality, hinder static analysis, and evade signature-based detections. Junk code includes NOP (No-Operation) sleds, dummy API calls, excessive mathematical operations, infinite loops that are never reached, and random garbage instructions interspersed between legitimate code. Unlike Binary Padding (T1027.001), which changes file size/hash, junk code insertion specifically targets analyst workflow and automated analysis engines. Real-world actors including Maze ransomware, FIN7, Gamaredon Group, APT32, Kimsuky, and StrelaStealer have employed this technique.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.016 Junk Code Insertion
- Canonical reference
- https://attack.mitre.org/techniques/T1027/016/
YARA-L Detection Query
rule t1027_016_junk_code_insertion {
meta:
author = "Argus Detection Engineering"
description = "Detects T1027.016 Junk Code Insertion via behavioral indicators: executable file creation by Office/script interpreters, unsigned binary execution from writable paths, and excessive string concatenation in script command lines"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1027.016"
reference = "https://attack.mitre.org/techniques/T1027/016/"
created = "2026-04-13"
version = "1.0"
events:
// Signal 1: File creation event - executable dropped by suspicious parent
$file_event.metadata.event_type = "FILE_CREATION"
$file_event.principal.hostname = $hostname
$file_event.principal.user.userid = $username
(
$file_event.target.file.full_path = /(?i)\.exe$/ or
$file_event.target.file.full_path = /(?i)\.dll$/ or
$file_event.target.file.full_path = /(?i)\.scr$/
)
(
$file_event.principal.process.file.full_path = /(?i)\\winword\.exe$/ or
$file_event.principal.process.file.full_path = /(?i)\\excel\.exe$/ or
$file_event.principal.process.file.full_path = /(?i)\\powerpnt\.exe$/ or
$file_event.principal.process.file.full_path = /(?i)\\outlook\.exe$/ or
$file_event.principal.process.file.full_path = /(?i)\\mshta\.exe$/ or
$file_event.principal.process.file.full_path = /(?i)\\wscript\.exe$/ or
$file_event.principal.process.file.full_path = /(?i)\\cscript\.exe$/ or
$file_event.principal.process.file.full_path = /(?i)\\cmd\.exe$/ or
$file_event.principal.process.file.full_path = /(?i)\\rundll32\.exe$/ or
$file_event.principal.process.file.full_path = /(?i)\\regsvr32\.exe$/
)
// Signal 2: Process launch from temp/writable dir with suspicious parent
$proc_event.metadata.event_type = "PROCESS_LAUNCH"
$proc_event.principal.hostname = $hostname
$proc_event.principal.user.userid = $username
(
$proc_event.target.process.file.full_path = /(?i)\\Temp\\/ or
$proc_event.target.process.file.full_path = /(?i)\\AppData\\Local\\/ or
$proc_event.target.process.file.full_path = /(?i)\\AppData\\Roaming\\/ or
$proc_event.target.process.file.full_path = /(?i)\\Downloads\\/ or
$proc_event.target.process.file.full_path = /(?i)\\Users\\Public\\/
)
(
$proc_event.target.process.file.full_path = /(?i)\.exe$/ or
$proc_event.target.process.file.full_path = /(?i)\.scr$/ or
$proc_event.target.process.file.full_path = /(?i)\.com$/
)
not $proc_event.target.process.file.full_path = /(?i)C:\\Windows\\(System32|SysWOW64)\\/
(
$proc_event.principal.process.file.full_path = /(?i)\\winword\.exe$/ or
$proc_event.principal.process.file.full_path = /(?i)\\excel\.exe$/ or
$proc_event.principal.process.file.full_path = /(?i)\\mshta\.exe$/ or
$proc_event.principal.process.file.full_path = /(?i)\\wscript\.exe$/ or
$proc_event.principal.process.file.full_path = /(?i)\\cscript\.exe$/
)
match:
$hostname, $username over 1h
condition:
$file_event or $proc_event
outcome:
$risk_score = max(
if($file_event.metadata.event_type = "FILE_CREATION", 40, 0) +
if($proc_event.metadata.event_type = "PROCESS_LAUNCH", 50, 0)
)
$mitre_technique = "T1027.016"
$file_path = array_distinct($file_event.target.file.full_path)
$process_path = array_distinct($proc_event.target.process.file.full_path)
$parent_process = array_distinct($proc_event.principal.process.file.full_path)
}Chronicle YARA-L 2.0 rule detecting T1027.016 Junk Code Insertion through behavioral UDM event correlation. Matches file creation events (executable files written by Office applications or script interpreters) and process launch events (unsigned binaries executing from user-writable directories with suspicious parent processes) correlated by hostname and username over a 1-hour window. Risk scoring combines signal weights for triage prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Electron-based desktop applications (Teams, Slack, VS Code) that write and execute binaries from AppData directories during auto-update
- Legitimate document-embedded macros used in approved business workflows that invoke helper executables
- IT management tools that use Office automation to deploy or configure software
- Security awareness training platforms that simulate phishing via Office macro execution
Other platforms for T1027.016
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Script with Excessive String Concatenation Junk Code
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing excessive variable concatenation. PowerShell ScriptBlock Log Event ID 4104 will show full script with dead variable assignments and Invoke-Expression. The final executed command 'whoami' will also appear in script block logs.
- Test 2VBScript with Dead Code Padding (chr() Concatenation Pattern)
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\junktest.vbs (created by cmd.exe). Sysmon Event ID 1: Process Create for cscript.exe executing junktest.vbs. Sysmon Event ID 1: Child process cmd.exe spawned by cscript.exe with whoami command. Sysmon Event ID 11: File Create for %TEMP%\vbsout.txt.
- Test 3Compile and Execute Binary with NOP Sled Simulation via Inline Assembly
Expected signal: Sysmon Event ID 1: PowerShell.exe process with Add-Type command. Sysmon Event ID 11: File Create for %TEMP%\junkcode_test.exe compiled by csc.exe (invoked by Add-Type). Sysmon Event ID 1: Execution of junkcode_test.exe from %TEMP% directory. PowerShell ScriptBlock Log Event ID 4104 showing the source code with NOP-equivalent patterns.
- Test 4Batch File with Dead Code Branches and Junk Variable Inflation
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\junkbatch.bat. Sysmon Event ID 1: cmd.exe executing junkbatch.bat from %TEMP%. Sysmon Event ID 1: Child cmd.exe process executing whoami. Sysmon Event ID 11: File Create for %TEMP%\batchout.txt. Security Event ID 4688 (if process creation auditing enabled) for all cmd.exe instances.
References (12)
- https://attack.mitre.org/techniques/T1027/016/
- https://cyberpedia.reasonlabs.com/EN/dead%20code%20insertion.html
- https://cyberpedia.reasonlabs.com/EN/junk%20code.html
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/maze-ransomware-no-promised-decryption-key-after-ransom-payment/
- https://www.welivesecurity.com/2016/10/25/lifting-lid-sednit-closer-look-group/
- https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
- https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/
- https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
- https://www.cybereason.com/blog/operation-cobalt-kitty-apt
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Unlock Pro Content
Get the full detection package for T1027.016 including response playbook, investigation guide, and atomic red team tests.