T1560.001: Archive via Utility
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar
on Linux and macOS or zip
on Windows systems.
On Windows, diantz
or makecab
may be used to package collected files into a cabinet (.cab) file. diantz
may also be used to download and compress files from remote locations (i.e. Remote Data Staging). xcopy
on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.
Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_collection: PT-CR-661: Data_Compression: A user archived data using a utility or PowerShell cmdlet
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. Before Exfiltration that an adversary has Collection, it is very likely that a Archive Collected Data will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored. In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of “* a *”. This is helpful, as adversaries may change program names. Note: This analytic looks for the command line argument a, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out. Analytic 1 - Command Line Usage of Archiving Software
|
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers. |
---|
Mitigation
ID | M1047 | Name | Audit | Description | System scans can be performed to identify unauthorized archival utilities. |
---|