|T1560.001||Archive via Utility|
|T1560.002||Archive via Library|
|T1560.003||Archive via Custom Method|
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as
tar on Linux and macOS or
zip on Windows systems.
makecab may be used to package collected files into a cabinet (.cab) file.
diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging).
xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.
Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.
AppleSeed can zip and encrypt data collected on a target system.
APT1 has used RAR to compress files before moving them outside of the victim network.
APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.
APT3 has used tools to compress data before exfilling it.
APT39 has used WinRAR and 7-Zip to compress an archive stolen data.
APT41 created a RAR archive of targeted files for exfiltration.
Aquatic Panda has used WinRAR to compress memory dumps prior to exfiltration.
BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.
Calisto uses the
ccf32 has used
certutil may be used to Base64 encode collected data.
Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.
CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.
CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.
Crutch has used the WinRAR utility to compress and encrypt stolen files.
Daserf hides collected data in password-protected .rar archives.
DustySky can compress files via RAR while staging data to be exfiltrated.
Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.
FIN8 has used RAR to compress collected data before exfiltration.
Fox Kitten has used 7-Zip to archive data.
During FunnyDream, the threat actors used 7zr.exe to add collected files to an archive.
GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.
Gallmaker has used WinZip, likely to archive data prior to exfiltration.
HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.
IceApple can encrypt and compress files using Gzip prior to exfiltration.
iKitten will zip up the /Library/Keychains directory before exfiltrating it.
InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.
Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.
Kimsuky has used QuickZip to archive stolen files before exfiltration.
Magic Hound has used gzip to archive dumped LSASS process memory and RAR to stage and compress local folders.
menuPass has compressed files before exfiltration using TAR and RAR.
Micropsia creates a RAR archive based on collected files on the victim's machine.
MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.
Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.
Octopus has compressed data before exfiltrating it using a tool called Abbrevia.
Okrum was seen using a RAR archiver tool to compress/decompress data.
OopsIE compresses collected files with GZipStream before sending them to its C2 server.
During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration.
|C0022||Operation Dream Job||
During Operation Dream Job, Lazarus Group archived victim's data into a RAR file.
During Operation Honeybee, the threat actors uses zip to pack collected files before exfiltration.
During Operation Wocao, threat actors archived collected files with WinRAR, prior to exfiltration.
PoshC2 contains a module for compressing data using ZIP.
PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.
PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.
Pupy can compress data with Zip before sending it over C2.
Ramsay can compress and archive collected files using WinRAR.
Rclone can compress files using
During the SolarWinds Compromise, APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfltration; APT29 also compressed text files into zipped archives.
Sowbug extracted documents and bundled them into a RAR archive.
Turian can use WinRAR to create a password-protected archive for files of interest.
Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.
WindTail has the ability to use the macOS built-in zip utility to archive files.
System scans can be performed to identify unauthorized archival utilities.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar.
Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.
Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip.