Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as
tar on Linux and macOS or
zip on Windows systems.
makecab may be used to package collected files into a cabinet (.cab) file.
diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging).
xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.
|C0022||Operation Dream Job|
System scans can be performed to identify unauthorized archival utilities.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar.
Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.
Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. Before Exfiltration that an adversary has Collection, it is very likely that a Archive Collected Data will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "* a *". This is helpful, as adversaries may change program names.
Note: This analytic looks for the command line argument a, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out.
Analytic 1 - Command Line Usage of Archiving Software