Try it using Invoke-Atomic

Obfuscated Files or Information: Binary Padding

Description from ATT&CK

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.

Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)

Atomic Tests

Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd

Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash.

Upon successful execution, dd will modify 

1

/tmp/evil-binary
, therefore the expected hash will change.

Supported Platforms: freebsd,macos,linux

auto_generated_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a

Inputs:

Name Description Type Default Value
file_to_pad Path of binary to be padded path /tmp/evil-binary

Attack Commands: Run with sh!

1
2
3
4

dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data

Cleanup Commands:

1
2

rm #{file_to_pad}

Dependencies: Run with sh!

Description: The binary must exist on disk at specified location (#{file_to_pad})

Check Prereq Commands:

1
2

if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2

cp /bin/ls #{file_to_pad}

Atomic Test #2 - Pad Binary to Change Hash using truncate command - Linux/macOS

Uses truncate to add a byte to the binary to change the hash.

Upon successful execution, truncate will modify 

1

/tmp/evil-binary
, therefore the expected hash will change.

Supported Platforms: freebsd,macos,linux

auto_generated_guid: e22a9e89-69c7-410f-a473-e6c212cd2292

Inputs:

Name Description Type Default Value
file_to_pad Path of binary to be padded path /tmp/evil-binary

Attack Commands: Run with sh!

1
2

truncate -s +1 #{file_to_pad} #adds a byte to the file size

Cleanup Commands:

1
2

rm #{file_to_pad}

Dependencies: Run with sh!

Description: The binary must exist on disk at specified location (#{file_to_pad})

Check Prereq Commands:

1
2

if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2

cp /bin/ls #{file_to_pad}

source