Atomic Red Team doc generator
100 lines
4.8 KiB
Markdown
100 lines
4.8 KiB
Markdown
# T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
|
|
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/013)
|
|
<blockquote>
|
|
|
|
Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.
|
|
|
|
This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.
|
|
|
|
The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.
|
|
|
|
For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File)
|
|
|
|
Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution.
|
|
|
|
</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Decode Eicar File and Write to File](#atomic-test-1---decode-eicar-file-and-write-to-file)
|
|
|
|
- [Atomic Test #2 - Decrypt Eicar File and Write to File](#atomic-test-2---decrypt-eicar-file-and-write-to-file)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Decode Eicar File and Write to File
|
|
Decode the eicar value, and write it to file, for AV/EDR to try to catch.
|
|
|
|
**Supported Platforms:** Windows, macOS, Linux
|
|
|
|
|
|
**auto_generated_guid:** 7693ccaa-8d64-4043-92a5-a2eb70359535
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
|
|
$bytes = [System.Convert]::FromBase64String($encodedString)
|
|
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
|
|
|
|
#write the decoded eicar string to file
|
|
$decodedString | Out-File T1027.013_decodedEicar.txt
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```powershell
|
|
Just delete the resulting T1027.013_decodedEicar.txt file.
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Decrypt Eicar File and Write to File
|
|
Decrypt the eicar value, and write it to file, for AV/EDR to try to catch.
|
|
|
|
**Supported Platforms:** Windows, macOS, Linux
|
|
|
|
|
|
**auto_generated_guid:** b404caaa-12ce-43c7-9214-62a531c044f7
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
|
|
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
|
|
|
|
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
|
|
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
|
|
|
|
#Write the decrypted eicar string to a file
|
|
$decryptedString | out-file T1027.013_decryptedEicar.txt
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```powershell
|
|
Just delete the resulting T1027.013_decryptedEicar.txt file.
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|