Capability Diffusion - Sound of Silence - Basic Example.

README.md

A very common, well known way to conceal operations is a method called Capabiliites Diffusion.

This splits out various parts of your tasking and modules.

Xref: Execution Guardrails

https://attack.mitre.org/techniques/T1480/

By following a basic pattern like App Configurations you can start to see how existing patterns work quite well for this.

Allows a single binary to transform based on the configuration its given.

It splits artifacts as well (Horcrux) so that you can exploit the single file bias.

Defenders must have ALL parts or none to analyze.

HelloWorld.cs

using System;
using System.Configuration;
using System.IO;
using System.Net;

namespace HelloWorldLib
{
    public class HelloWorld
    {
        private static Configuration _config;
        
        public static void SetConfigPath(string configPath)
        {
            string localPath = configPath;
            
            if (configPath.StartsWith("http://") || configPath.StartsWith("https://"))
            {
                using (WebClient client = new WebClient())
                {
                    string tempFile = Path.Combine(Path.GetTempPath(), "remote_app.config");
                    client.DownloadFile(configPath, tempFile);
                    localPath = tempFile;
                }
            }
            
            ExeConfigurationFileMap fileMap = new ExeConfigurationFileMap();
            fileMap.ExeConfigFilename = localPath;
            _config = ConfigurationManager.OpenMappedExeConfiguration(fileMap, ConfigurationUserLevel.None);
        }
        
        public static string GetMessage()
        {
            if (_config != null)
            {
                KeyValueConfigurationElement setting = _config.AppSettings.Settings["HelloMessage"];
                if (setting != null)
                {
                    return setting.Value;
                }
                return "Hello, World!";
            }
            
            string message = ConfigurationManager.AppSettings["HelloMessage"];
            return message != null ? message : "Hello, World!";
        }
        
        public static void PrintMessage()
        {
            Console.WriteLine(GetMessage());
        }
        
        public static void Main(string[] args)
        {
            string configPath = null;
            
            for (int i = 0; i < args.Length; i++)
            {
                if (args[i] == "--config" || args[i] == "-c")
                {
                    if (i + 1 < args.Length)
                    {
                        configPath = args[i + 1];
                        break;
                    }
                }
            }
            
            if (configPath != null)
            {
                SetConfigPath(configPath);
            }
            
            PrintMessage();
        }
    }
}

something.app.config

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <appSettings>
    <add key="HelloMessage" value="Hello Darkness My old Friend" />
  </appSettings>
</configuration>