Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
38 lines (24 sloc) 951 Bytes

T1009 - Binary Padding

Description from ATT&CK

Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.

How to Detect

Simulating the attack

dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}

sha1sum welcome.sh >before

dd if=/dev/zero bs=1 count=1 >> welcome.sh
<<
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000221464 s, 4.5 kB/s
>>

sha1sum welcome.sh >after

cmp before after
<<before after differ: byte 1, line 1>>

Data sources required to detect the attack

bash_history logs

Splunk Queries to detect the attack

bash_history

index=linux sourcetype="bash_history" bash_command="dd *"

Caution/Caveate

You can’t perform that action at this time.