capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard

Published 20 hours ago verified publisher icon mandiant

padded

Open Ana06 opened this issue 3 years ago • 2 comments

Rule name

padded

Summary

Detect files which contain padding with extraneous data such as zeros or random bytes. Sometimes used to evade antivirus engines that will not scan files above a set size limit.

Detecting zeros is easy, but not random bytes. One idea is to detect random paddings by looking for an unusual amount of zeros with regular expressions.

Possible test samples

Publicly available samples that may contain the capability this rule should detect (MD5 hashes):

  • 3a71311ac69f26e478e2d80541e9a412 (capa is not able to run on this sample at the moment, this is caused by a bug on vivisect: https://github.com/vivisect/vivisect/issues/391)

References

Links or references to additional information on the capability (can also be included in the rule):

  • https://attack.mitre.org/techniques/T1027/001/

Namespace

Proposed namespace: anti-analysis/padding. More details in https://github.com/fireeye/capa-rules/blob/master/doc/format.md#rule-namespace

att&ck

aka.mitre.att&ck.t1027.001

Ana06 avatar Apr 19 '21 10:04 Ana06

for PE files compare PE size via header values vs. file size

mr-tz avatar Apr 20 '21 07:04 mr-tz

This likely requires (a) new feature(s).

mr-tz avatar Jun 21 '21 11:06 mr-tz