Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Sigma rule (View on GitHub)
1title: Binary Padding - MacOS
2id: 95361ce5-c891-4b0a-87ca-e24607884a96
3status: test
4description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
7 - https://linux.die.net/man/1/truncate
8 - https://linux.die.net/man/1/dd
9author: 'Igor Fits, Mikhail Larin, oscd.community'
10date: 2020-10-19
11modified: 2023-02-17
12tags:
13 - attack.defense-evasion
14 - attack.t1027.001
15logsource:
16 product: macos
17 category: process_creation
18detection:
19 selection_truncate:
20 Image|endswith: '/truncate'
21 CommandLine|contains: '-s +'
22 selection_dd:
23 Image|endswith: '/dd'
24 CommandLine|contains:
25 - 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding
26 - 'if=/dev/random' # high-quality random data
27 - 'if=/dev/urandom' # low-quality random data
28 condition: 1 of selection_*
29falsepositives:
30 - Legitimate script work
31level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Binary Padding - Linux
- Failed Code Integrity Checks
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType