Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Sigma rule (View on GitHub)
1title: Binary Padding - Linux
2id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
3status: test
4description: |
5 Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
6 This rule detect using dd and truncate to add a junk data to file.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
9author: Igor Fits, oscd.community
10date: 2020-10-13
11modified: 2023-05-03
12tags:
13 - attack.defense-evasion
14 - attack.t1027.001
15logsource:
16 product: linux
17 service: auditd
18detection:
19 selection_execve:
20 type: 'EXECVE'
21 keywords_truncate:
22 '|all':
23 - 'truncate'
24 - '-s'
25 keywords_dd:
26 '|all':
27 - 'dd'
28 - 'if='
29 keywords_filter:
30 - 'of='
31 condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))
32falsepositives:
33 - Unknown
34level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Binary Padding - MacOS
- Failed Code Integrity Checks
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType