DET0553 Detection Strategy for Obfuscated Files or Information: Binary Padding

Item	Value
ID	DET0553
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1027.001 (Binary Padding)

Analytics

Windows

AN1528

Detects the creation or execution of padded binary files (e.g., large size but minimal legitimate content) followed by process execution or lateral movement from the host.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
File Access (DC0055)	WinEventLog:Security	EventCode=4663, 4670, 4656
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11

Mutable Elements

Field	Description
FileSizeThresholdMB	Threshold size in MB to determine suspicious padding
TimeWindow	Correlation time window between file creation and execution
UserContext	Scope the detection to suspicious or non-standard user accounts

Linux

AN1529

Detects abnormal creation of binary files with significant size that are subsequently executed or accessed by non-standard users.

Log Sources

Data Component	Name	Channel
File Access (DC0055)	auditd:SYSCALL	open
Process Creation (DC0032)	auditd:SYSCALL	execve
File Creation (DC0039)	linux:osquery	file_events

Mutable Elements

Field	Description
FileSizeThresholdMB	Defines how large a file must be to consider it padded
UserContext	Target abnormal user behavior outside of expected automation
TimeWindow	Time window for correlating file creation and execution

macOS

AN1530

Monitors for anomalous binary files written to disk with padded size and subsequent execution by user or service context.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	macos:unifiedlog	process:spawn
File Creation (DC0039)	fs:fsusage	file write

Mutable Elements

Field	Description
FileSizeThresholdMB	Padded binary threshold for file size
TimeWindow	Detection correlation window for execution after file creation
UserContext	Filters for specific users or groups such as admin or service accounts