2020-10-19 16:39:41 +03:00
title : 'Binary Padding'
id : c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
2021-11-27 11:33:14 +01:00
status : test
2020-10-19 16:39:41 +03:00
description : 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.'
author : 'Igor Fits, oscd.community'
references :
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
2021-11-27 11:33:14 +01:00
date : 2020 /10/13
modified : 2021 /11/27
2020-10-19 16:39:41 +03:00
logsource :
2021-11-27 11:33:14 +01:00
product : linux
service : auditd
2020-10-19 16:39:41 +03:00
detection :
2021-11-27 11:33:14 +01:00
execve :
type : 'EXECVE'
truncate :
- 'truncate'
- '-s'
dd :
- 'dd'
- 'if='
filter :
- 'of='
condition : execve and (all of truncate or (all of dd and not filter))
2020-10-19 16:39:41 +03:00
falsepositives :
2021-11-27 11:33:14 +01:00
- 'Legitimate script work'
2020-10-19 16:39:41 +03:00
level : high
tags :
2021-11-27 11:33:14 +01:00
- attack.defense_evasion
- attack.t1027.001
