T1009 - Binary Padding

Description from ATT&CK

Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.

How to Detect

Simulating the attack

dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}

sha1sum welcome.sh >before

dd if=/dev/zero bs=1 count=1 >> welcome.sh
<<
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000221464 s, 4.5 kB/s
>>

sha1sum welcome.sh >after

cmp before after
<<before after differ: byte 1, line 1>>

Data sources required to detect the attack

bash_history logs

Splunk Queries to detect the attack

bash_history

index=linux sourcetype="bash_history" bash_command="dd *"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

T1009.md

T1009.md

T1009 - Binary Padding

Description from ATT&CK

How to Detect

Simulating the attack

Data sources required to detect the attack

Splunk Queries to detect the attack

bash_history

Caution/Caveate

Files

T1009.md

Latest commit

History

T1009.md

File metadata and controls

T1009 - Binary Padding

Description from ATT&CK

How to Detect

Simulating the attack

Data sources required to detect the attack

Splunk Queries to detect the attack

bash_history

Caution/Caveate