Esc
Binary Padding - T1027.001

(ATT&CK® Technique)
Definition

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1027001["Binary Padding"] --> |modifies| ExecutableBinary["Executable Binary"]; class T1027001 OffensiveTechniqueNode;
        class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
        click T1027001 href "/offensive-technique/attack/T1027.001/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";             DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | ExecutableBinary["Executable Binary"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | may-detect | T1027001["Binary Padding"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; ExecutableDenylisting["Executable Denylisting"] -->
          | blocks | ExecutableBinary["Executable Binary"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1027001["Binary Padding"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
          | blocks | ExecutableBinary["Executable Binary"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1027001["Binary Padding"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";                                  EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | ExecutableBinary["Executable Binary"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | may-detect | T1027001["Binary Padding"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis";        FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | ExecutableBinary["Executable Binary"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1027001["Binary Padding"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                          DecoyFile["Decoy File"] -->
          | spoofs | ExecutableBinary["Executable Binary"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1027001["Binary Padding"] ;
          class DecoyFile DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";              LocalFilePermissions["Local File Permissions"] -->
          | restricts | ExecutableBinary["Executable Binary"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1027001["Binary Padding"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
          | restores | ExecutableBinary["Executable Binary"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1027001["Binary Padding"] ;
          class RestoreFile DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";                         FileEviction["File Eviction"] -->
          | deletes | ExecutableBinary["Executable Binary"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1027001["Binary Padding"] ;
          class FileEviction DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
          | encrypts | ExecutableBinary["Executable Binary"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1027001["Binary Padding"] ;
          class FileEncryption DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";                           FileAnalysis["File Analysis"] -->
          | analyzes | ExecutableBinary["Executable Binary"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1027001["Binary Padding"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";                RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | ExecutableBinary["Executable Binary"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1027001["Binary Padding"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";
json