Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
38 lines (24 sloc) 951 Bytes

T1009 - Binary Padding

Description from ATT&CK

Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.

How to Detect

Simulating the attack

dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}

sha1sum >before

dd if=/dev/zero bs=1 count=1 >>
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000221464 s, 4.5 kB/s

sha1sum >after

cmp before after
<<before after differ: byte 1, line 1>>

Data sources required to detect the attack

bash_history logs

Splunk Queries to detect the attack


index=linux sourcetype="bash_history" bash_command="dd *"


You can’t perform that action at this time.