Atomic Red Team doc generator
178 lines
4.5 KiB
Markdown
178 lines
4.5 KiB
Markdown
# T1027.002 - Obfuscated Files or Information: Software Packing
|
|
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/002)
|
|
<blockquote>
|
|
|
|
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
|
|
|
|
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)
|
|
|
|
</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Binary simply packed by UPX (linux)](#atomic-test-1---binary-simply-packed-by-upx-linux)
|
|
|
|
- [Atomic Test #2 - Binary packed by UPX, with modified headers (linux)](#atomic-test-2---binary-packed-by-upx-with-modified-headers-linux)
|
|
|
|
- [Atomic Test #3 - Binary simply packed by UPX](#atomic-test-3---binary-simply-packed-by-upx)
|
|
|
|
- [Atomic Test #4 - Binary packed by UPX, with modified headers](#atomic-test-4---binary-packed-by-upx-with-modified-headers)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Binary simply packed by UPX (linux)
|
|
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
|
|
No other protection/compression were applied.
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
**auto_generated_guid:** 11c46cd8-e471-450e-acb8-52a1216ae6a4
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx|
|
|
|
|
|
|
#### Attack Commands: Run with `sh`!
|
|
|
|
|
|
```sh
|
|
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```sh
|
|
rm /tmp/packed_bin
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Binary packed by UPX, with modified headers (linux)
|
|
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
|
|
|
|
The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
|
|
by some methods, and especially UPX is not able to uncompress it any more.
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
**auto_generated_guid:** f06197f8-ff46-48c2-a0c6-afc1b50665e1
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed|
|
|
|
|
|
|
#### Attack Commands: Run with `sh`!
|
|
|
|
|
|
```sh
|
|
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```sh
|
|
rm /tmp/packed_bin
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - Binary simply packed by UPX
|
|
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
|
|
No other protection/compression were applied.
|
|
|
|
**Supported Platforms:** macOS
|
|
|
|
|
|
**auto_generated_guid:** b16ef901-00bb-4dda-b4fc-a04db5067e20
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx|
|
|
|
|
|
|
#### Attack Commands: Run with `sh`!
|
|
|
|
|
|
```sh
|
|
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```sh
|
|
rm /tmp/packed_bin
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #4 - Binary packed by UPX, with modified headers
|
|
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
|
|
|
|
The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
|
|
by some methods, and especially UPX is not able to uncompress it any more.
|
|
|
|
**Supported Platforms:** macOS
|
|
|
|
|
|
**auto_generated_guid:** 4d46e16b-5765-4046-9f25-a600d3e65e4d
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed|
|
|
|
|
|
|
#### Attack Commands: Run with `sh`!
|
|
|
|
|
|
```sh
|
|
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```sh
|
|
rm /tmp/packed_bin
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|