security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1027.001/T1027.001.yaml
T
Hare Sudhan 62a85c12b5 FreeBSD changes (#2585) 
* freebsd changes

* renaming freebsd to linux
2023-11-06 17:41:43 -05:00

63 lines
2.1 KiB
YAML
Raw Permalink Blame History

attack_technique: T1027.001
display_name: 'Obfuscated Files or Information: Binary Padding'
atomic_tests:
- name: Pad Binary to Change Hash - Linux/macOS dd
auto_generated_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a
description: |
Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash.
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
supported_platforms:
- linux
- macos
input_arguments:
file_to_pad:
description: Path of binary to be padded
type: path
default: /tmp/evil-binary
dependency_executor_name: sh
dependencies:
- description: |
The binary must exist on disk at specified location (#{file_to_pad})
prereq_command: |
if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
cp /bin/ls #{file_to_pad}
executor:
command: |
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data
cleanup_command: |
rm #{file_to_pad}
name: sh
- name: Pad Binary to Change Hash using truncate command - Linux/macOS
auto_generated_guid: e22a9e89-69c7-410f-a473-e6c212cd2292
description: |
Uses truncate to add a byte to the binary to change the hash.
Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
supported_platforms:
- linux
- macos
input_arguments:
file_to_pad:
description: Path of binary to be padded
type: path
default: /tmp/evil-binary
dependency_executor_name: sh
dependencies:
- description: |
The binary must exist on disk at specified location (#{file_to_pad})
prereq_command: |
if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
cp /bin/ls #{file_to_pad}
executor:
command: |
truncate -s +1 #{file_to_pad} #adds a byte to the file size
cleanup_command: |
rm #{file_to_pad}
name: sh
Reference in New Issue View Git Blame Copy Permalink