Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as
tar on Linux and macOS or
zip on Windows systems. On Windows,
makecab may be used to package collected files into a cabinet (.cab) file.
diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging). Additionally,
xcopy on Windows can copy files and directories with a variety of options.
System scans can be performed to identify unauthorized archival utilities.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar.
Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.
Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip.