Detectionhightest
Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Igor Fits, Mikhail Larin, oscd.communityCreated Mon Oct 19Updated Fri Feb 1795361ce5-c891-4b0a-87ca-e24607884a96macos
Log Source
macOSProcess Creation
ProductmacOS← raw: macos
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_truncate:
Image|endswith: '/truncate'
CommandLine|contains: '-s +'
selection_dd:
Image|endswith: '/dd'
CommandLine|contains:
- 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding
- 'if=/dev/random' # high-quality random data
- 'if=/dev/urandom' # low-quality random data
condition: 1 of selection_*False Positives
Legitimate script work
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
95361ce5-c891-4b0a-87ca-e24607884a96
Status
test
Level
high
Type
Detection
Created
Mon Oct 19
Modified
Fri Feb 17
Author
Path
rules/macos/process_creation/proc_creation_macos_binary_padding.yml
Raw Tags
attack.defense-evasionattack.t1027.001