Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Sigma rule (View on GitHub)
1title: Binary Padding - Linux
2id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
3status: test
4description: |
5 Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
6 This rule detect using dd and truncate to add a junk data to file.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
9author: Igor Fits, oscd.community
10date: 2020/10/13
11modified: 2023/05/03
12tags:
13 - attack.defense_evasion
14 - attack.t1027.001
15logsource:
16 product: linux
17 service: auditd
18detection:
19 selection_execve:
20 type: 'EXECVE'
21 keywords_truncate:
22 '|all':
23 - 'truncate'
24 - '-s'
25 keywords_dd:
26 '|all':
27 - 'dd'
28 - 'if='
29 keywords_filter:
30 - 'of='
31 condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))
32falsepositives:
33 - Unknown
34level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- AWS Macie Evasion
- Defense evasion via process reimaging
- Execution via CL_Invocation.ps1 (2 Lines)
- Execution via CL_Mutexverifiers.ps1 (2 Lines)
- File Creation by Office Applications