D4rkCiph3r
c965a8dca0
Updated the modified field reference link is same, I have a PR in ART Repo for the same, which is yet to be verified, maybe if it's allowed the man pages of "truncate" and "dd" can be referenced Discarding the filter, there should either be "of="(output file) or a redirection or append symbol
36 lines
1.3 KiB
YAML
36 lines
1.3 KiB
YAML
title: Binary Padding - MacOS
|
|
id: 95361ce5-c891-4b0a-87ca-e24607884a96
|
|
status: test
|
|
description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
|
|
- https://linux.die.net/man/1/truncate
|
|
- https://linux.die.net/man/1/dd
|
|
author: 'Igor Fits, Mikhail Larin, oscd.community'
|
|
date: 2020/10/19
|
|
modified: 2023/02/17
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1027.001
|
|
logsource:
|
|
product: macos
|
|
category: process_creation
|
|
detection:
|
|
selection1:
|
|
Image|endswith: '/truncate'
|
|
CommandLine|contains: '-s +'
|
|
filter1:
|
|
CommandLine|contains:
|
|
- '-s 0' #truncates to zero, no padding
|
|
- '-s -' #file size will be reduced, no padding
|
|
selection2:
|
|
Image|endswith: '/dd'
|
|
CommandLine|contains:
|
|
- 'if=/dev/zero' #if input is not /dev/zero, then there is no null padding
|
|
- 'if=/dev/random' #high-quality random data
|
|
- 'if=/dev/urandom' #low-quality random data
|
|
condition: (selection1 and not filter1) or selection2
|
|
falsepositives:
|
|
- Legitimate script work
|
|
level: high
|