Technique on mitre.org

T1560.001: Archive via Utility

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems.

On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging). xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_collection: PT-CR-661: Data_Compression: A user archived data using a utility or PowerShell cmdlet

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. Before Exfiltration that an adversary has Collection, it is very likely that a Archive Collected Data will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored. In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of “* a ”. This is helpful, as adversaries may change program names. Note: This analytic looks for the command line argument a, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out. Analytic 1 - Command Line Usage of Archiving Software `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") CommandLine=" a *"`

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.

ID	Data source and component	Description
DS0009	Process: Process Creation	Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. Before Exfiltration that an adversary has Collection, it is very likely that a Archive Collected Data will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored. In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of “* a ”. This is helpful, as adversaries may change program names. Note: This analytic looks for the command line argument a, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out. Analytic 1 - Command Line Usage of Archiving Software `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") CommandLine=" a *"`
DS0017	Command: Command Execution	Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar.
DS0022	File: File Creation	Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.

Mitigation

ID	M1047	Name	Audit	Description	System scans can be performed to identify unauthorized archival utilities.

ID	Name	Description
M1047	Audit	System scans can be performed to identify unauthorized archival utilities.