1. Home
  2. Detection Strategies
  3. Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns

Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns

Technique Detected:  Junk Code Insertion | T1027.016

ID: DET0322
Domains: Enterprise
Analytics: AN0913, AN0914, AN0915
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0913

Detects the presence of executables with high NOP padding, unusually large binary size for their function, and follow-on execution or memory injection from such files, especially when originating from temp or user-space paths.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
NOPThreshold High proportion of 0x90 opcodes indicating junk code – tune to suppress noise from some packing tools
ExecutableSizeThreshold Size range for abnormally large binaries relative to their runtime behavior
TimeWindow Window between file creation and execution – short intervals may indicate staged payload execution

AN0914

Detects ELF binaries written to disk that demonstrate anomalous file size or entropy, quickly followed by execution or memory region writes into remote processes (e.g., using ptrace).

Log Sources
Data Component Name Channel
File Creation (DC0039) auditd:SYSCALL write
Process Creation (DC0032) auditd:SYSCALL execve
Process Modification (DC0020) auditd:SYSCALL SYSCALL ptrace/mprotect
Mutable Elements
Field Description
BinarySizeThreshold Used to flag binaries much larger than typical shell utilities or payloads
MemoryWriteTargets Which processes are allowed ptrace/mprotect – can limit to suspicious child-to-parent targeting
ExecutionAfterWriteWindow Temporal threshold for file write to execution

AN0915

Identifies Mach-O binaries dropped into temporary directories with abnormally high binary size or padding patterns, followed by privilege escalation, exec, or memory mapping of other processes.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
Process Modification (DC0020) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_MMAP
Process Access (DC0035) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_OPEN
Mutable Elements
Field Description
TempFilePaths Track dropped executables in ~/Library/, /tmp/, or /private/tmp/
MachOPaddingThreshold Define padding size or section entropy anomalies in Mach-O file format
FollowOnPrivilegeEscalation Detects whether the binary attempts privilege escalation within short execution window