Description
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems. On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
Threat-Mapped Scoring
ATT&CK Kill Chain Metadata
- Tactics: collection
- Platforms: Linux, Windows, macOS
-
Detection Guidance:
Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used. Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)
Malware
Tools
APTs (Intrusion Sets)
- APT1
- APT28
- APT3
- APT33
- APT39
- APT41
- APT5
- Agrius
- Akira
- Aquatic Panda
- BRONZE BUTLER
- Chimera
- CopyKittens
- Earth Lusca
- FIN13
- FIN8
- Fox Kitten
- GALLIUM
- Gallmaker
- HAFNIUM
- INC Ransom
- Ke3chang
- Kimsuky
- Lotus Blossom
- Magic Hound
- MuddyWater
- Mustang Panda
- Play
- RedCurl
- Sea Turtle
- Sowbug
- ToddyCat
- Turla
- Volt Typhoon
- Wizard Spider
- menuPass