title: Binary Padding (T1027.001)
id: df00tech-t1027-001
status: experimental
description: "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures. Known threat actors including APT29, Kimsuky, Emotet, QakBot, Black Basta, and Akira have employed this technique to inflate file sizes and change file hashes."
references:
  - https://attack.mitre.org/techniques/T1027/001/
  - https://df00tech.com/detections/T1027.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Large legitimate software installers (e.g., game installers, IDE packages, database engines) dropped in temp or user directories during installation"
  - Backup or archive tools writing large consolidated files that happen to use .exe or .dll extensions
  - Software development workflows where compiled binaries with debug symbols legitimately exceed size thresholds
  - Container or VM image export utilities writing large binary blobs with executable extensions
level: medium