security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1027.002/T1027.002.yaml
T
Alonso Cárdenas f1c5a9be03 Add FreeBSD support
2023-05-08 11:06:08 -05:00

81 lines
2.8 KiB
YAML
Raw Permalink Blame History

attack_technique: T1027.002
display_name: 'Obfuscated Files or Information: Software Packing'
atomic_tests:
- name: Binary simply packed by UPX (linux)
auto_generated_guid: 11c46cd8-e471-450e-acb8-52a1216ae6a4
description: |
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
No other protection/compression were applied.
supported_platforms:
- linux
input_arguments:
bin_path:
description: Packed binary
type: path
default: PathToAtomicsFolder/T1027.002/bin/linux/test_upx
executor:
command: |
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
cleanup_command: |
rm /tmp/packed_bin
name: sh
- name: Binary packed by UPX, with modified headers (linux)
auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1
description: |
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.
supported_platforms:
- linux
input_arguments:
bin_path:
description: Packed binary
type: path
default: PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed
executor:
command: |
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
cleanup_command: |
rm /tmp/packed_bin
name: sh
- name: Binary simply packed by UPX
auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20
description: |
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
No other protection/compression were applied.
supported_platforms:
- macos
input_arguments:
bin_path:
description: Packed binary
type: path
default: PathToAtomicsFolder/T1027.002/bin/darwin/test_upx
executor:
command: |
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
cleanup_command: |
rm /tmp/packed_bin
name: sh
- name: Binary packed by UPX, with modified headers
auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d
description: |
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.
supported_platforms:
- macos
input_arguments:
bin_path:
description: Packed binary
type: path
default: PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed
executor:
command: |
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
cleanup_command: |
rm /tmp/packed_bin
name: sh
Reference in New Issue View Git Blame Copy Permalink