T1560.001: Archive via Utility

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems.

On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging). xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_collection: PT-CR-661: Data_Compression: A user archived data using a utility or PowerShell cmdlet

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. Before Exfiltration that an adversary has Collection, it is very likely that a Archive Collected Data will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored. In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of “* a *”. This is helpful, as adversaries may change program names.

Note: This analytic looks for the command line argument a, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out.

Analytic 1 - Command Line Usage of Archiving Software

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") CommandLine="* a *"

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar.

IDDS0022Data source and componentFile: File CreationDescription

Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.

Mitigation

IDM1047NameAuditDescription

System scans can be performed to identify unauthorized archival utilities.