Binary Padding

From ATT&CK
Jump to: navigation, search
Binary Padding
Technique
ID T1009
Tactic Defense Evasion
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Defense Bypassed Anti-virus, Signature-based detection
CAPEC ID CAPEC-572

Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.

Examples

  • Moafee has been known to employ binary padding.1
  • A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.2
  • A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.3
  • CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.4

Mitigation

Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting5 tools, like AppLocker,67 or Software Restriction Policies8 where appropriate.9

Detection

Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool.

When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file.