Techniques
Sample rules
Binary Padding - MacOS
- source: sigma
- technicques:
- t1027
- t1027.001
Description
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Detection logic
condition: 1 of selection_*
selection_dd:
CommandLine|contains:
- if=/dev/zero
- if=/dev/random
- if=/dev/urandom
Image|endswith: /dd
selection_truncate:
CommandLine|contains: -s +
Image|endswith: /truncate