Currently viewing ATT&CK v7.2 which was live between July 8, 2020 and October 26, 2020. Learn more about the versioning system or see the live site.
Register to stream the next session of ATT&CKcon Power Hour November 12
TECHNIQUES
PRE-ATT&CK
Priority Definition Planning
Priority Definition Direction
Target Selection
Technical Information Gathering
People Information Gathering
Organizational Information Gathering
Technical Weakness Identification
People Weakness Identification
Organizational Weakness Identification
Adversary OPSEC
Establish & Maintain Infrastructure
Persona Development
Build Capabilities
Test Capabilities
Stage Capabilities
Enterprise
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Credential Access
Brute Force
Credentials from Password Stores
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Enterprise
  4. Archive Collected Data
  5. Archive via Utility

Archive Collected Data: Archive via Utility

ID Name
T1560.001 Archive via Utility
T1560.002 Archive via Library
T1560.003 Archive via Custom Method

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip[1], WinRAR[2], and WinZip[3]. Most utilities include functionality to encrypt and/or compress data.

Some 3rd party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems.

ID: T1560.001
Sub-technique of:  T1560
Tactic: Collection
Platforms: Linux, Windows, macOS
Data Sources: Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Version: 1.0
Created: 20 February 2020
Last Modified: 25 March 2020

Procedure Examples

Name Description
APT1

APT1 has used RAR to compress files before moving them outside of the victim network.[25]
APT3

APT3 has used tools to compress data before exfilling it.[29]
APT33

APT33 has used WinRAR to compress data prior to exfil.[34]

APT39

APT39 has used WinRAR and 7-Zip to compress an archive stolen data. [33]
APT41

APT41 created a RAR archive of targeted files for exfiltration.[38]
BRONZE BUTLER

BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.[21][22]
Calisto

Calisto uses the zip -r command to compress the data collected on the local system.[8][9]
CopyKittens

CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.[24]
CORALDECK

CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.[7]
Daserf

Daserf hides collected data in password-protected .rar archives.[10]
DustySky

DustySky can compress files via RAR while staging data to be exfiltrated.[18]
FIN8

FIN8 has used RAR to compress collected data before Exfiltration.[26]
Gallmaker

Gallmaker has used WinZip, likely to archive data prior to exfiltration.[35]
iKitten

iKitten will zip up the /Library/Keychains directory before exfiltrating it.[12]
InvisiMole

InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.[13]
Ke3chang

Ke3chang is known to use RAR with passwords to encrypt data prior to exfiltration.[23]
Magic Hound

Magic Hound has used RAR to stage and compress local folders.[28]
menuPass

menuPass has compressed files before exfiltration using TAR and RAR.[31][32]
Micropsia

Micropsia creates a RAR archive based on collected files on the victim's machine.[11]
MuddyWater

MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.[30]
Okrum

Okrum was seen using a RAR archiver tool to compress/decompress data.[16]
OopsIE

OopsIE compresses collected files with GZipStream before sending them to its C2 server.[6]
PoetRAT

PoetRAT has the ability to compress files with zip.[15]
PoshC2

PoshC2 contains a module for compressing data using ZIP.[5]
PowerShower

PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.[17]
PUNCHBUGGY

PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.[14]

Pupy

Pupy can compress data with Zip before sending it over C2.[4]
Ramsay

Ramsay can compress and archive collected files using WinRAR.[19]
Soft Cell

Soft Cell used WinRAR to compress and encrypt stolen data prior to exfiltration.[37]
Sowbug

Sowbug extracted documents and bundled them into a RAR archive.[27]
Turla

Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.[36]
WindTail

WindTail has the ability to use the macOS built-in zip utility to archive files.[20]

Mitigations

Mitigation Description
Audit

System scans can be performed to identify unauthorized archival utilities.

Detection

Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.

Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.[39]

References

  1. I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.
  2. A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.
  3. Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.
  4. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  5. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  6. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  7. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  8. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  9. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  10. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  11. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  12. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  13. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  14. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  15. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  16. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  17. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  18. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  19. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  20. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  1. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  2. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  3. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  4. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  5. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  6. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  7. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  8. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  9. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  10. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  11. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  12. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  13. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  14. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  15. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
  16. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  17. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  18. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  19. Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.