Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Binary Padding - Linux

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Igor Fits, oscd.communityCreated Tue Oct 13Updated Wed May 03c52a914f-3d8b-4b2a-bb75-b3991e75f8balinux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic4 selectors
detection:
    selection_execve:
        type: 'EXECVE'
    keywords_truncate:
        '|all':
            - 'truncate'
            - '-s'
    keywords_dd:
        '|all':
            - 'dd'
            - 'if='
    keywords_filter:
        - 'of='
    condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
Testing & Validation

Simulations

atomic-red-teamT1027.001
View on ART

Pad Binary to Change Hash - Linux/macOS dd

GUID: ffe2346c-abd5-4b45-a713-bf5f1ebd573a

MITRE ATT&CK
Rule Metadata
Rule ID
c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
Status
test
Level
high
Type
Detection
Created
Tue Oct 13
Modified
Wed May 03
Author
Igor Fits, oscd.community
Path
rules/linux/auditd/execve/lnx_auditd_binary_padding.yml
Raw Tags
attack.defense-evasionattack.t1027.001
View on GitHub