Detects the creation or execution of padded binary files (e.g., large size but minimal legitimate content) followed by process execution or lateral movement from the host.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| File Access (DC0055) | WinEventLog:Security | EventCode=4663 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| FileSizeThresholdMB | Threshold size in MB to determine suspicious padding |
| TimeWindow | Correlation time window between file creation and execution |
| UserContext | Scope the detection to suspicious or non-standard user accounts |
Detects abnormal creation of binary files with significant size that are subsequently executed or accessed by non-standard users.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Creation (DC0039) | linux:osquery | file_events |
| Field | Description |
|---|---|
| FileSizeThresholdMB | Defines how large a file must be to consider it padded |
| UserContext | Target abnormal user behavior outside of expected automation |
| TimeWindow | Time window for correlating file creation and execution |
Monitors for anomalous binary files written to disk with padded size and subsequent execution by user or service context.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process:spawn |
| File Creation (DC0039) | fs:fsusage | file write |
| Field | Description |
|---|---|
| FileSizeThresholdMB | Padded binary threshold for file size |
| TimeWindow | Detection correlation window for execution after file creation |
| UserContext | Filters for specific users or groups such as admin or service accounts |