T1560.001 · threatengine.sh

Home/ATT&CK Technique/Archive via Utility

ATT&CK Technique

Archive via Utility

T1560.001 · collection

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.

Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging). xcopy on Windows can copy files and directories with a variety of options.

Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.

LinuxmacOSWindows

◆

Actors Using This

iranAgrius
north_koreaAndariel
chinaAoqin Dragon
chinaAPT10
chinaAPT17
chinaAPT1
russiaAPT28
russiaAPT29
chinaAPT31
iranAPT33
iranOilRig
iranAPT35
north_koreaAPT37
north_koreaAPT38

◈

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.

reconnaissance earlier

T1589 · Gather Victim Identity Information ×2.83 T1589.002 · Email Addresses ×2.83 T1589.001 · Credentials ×2.83

execution earlier

T1559.002 · Dynamic Data Exchange ×2.83

persistence earlier

T1137 · Office Application Startup ×2.83

privilege-escalation earlier

T1546.001 · Change Default File Association ×2.83 T1546.011 · Application Shimming ×2.83 T1546.015 · Component Object Model Hijacking ×2.83

discovery earlier

T1426 · System Information Discovery ×2.83

command-and-control later

T1437 · Application Layer Protocol ×2.83 T1437.001 · Web Protocols ×2.83

exfiltration later

T1030 · Data Transfer Size Limits ×2.83

other same

T1564.003 · Hidden Window ×2.83 T1480.001 · Environmental Keying ×2.83 T1221 · Template Injection ×2.83

▸

Atomic Tests

Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.

command_promptwindowsCompress Data for Exfiltration With Rar

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory

"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension}

command_promptwindowsCompress Data and lock with password for Exfiltration with winrar

Note: Requires winrar installation rar a -p"blue" hello.rar (VARIANT)

mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"#{rar_exe}" a -hp"blue" hello.rar
dir

command_promptwindowsCompress Data and lock with password for Exfiltration with winzip

Note: Requires winzip installation wzzip sample.zip -s"blueblue" *.txt (VARIANT)

path=%path%;"C:\Program Files (x86)\winzip"
mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"#{winzip_exe}" -min -a -s"hello" archive.zip *
dir

command_promptwindowsCompress Data and lock with password for Exfiltration with 7zip

Note: This test requires 7zip installation

mkdir $PathToAtomicsFolder\T1560.001\victim-files
cd $PathToAtomicsFolder\T1560.001\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"#{7zip_exe}" u archive.7z *txt -pblue
dir

bashelevatedlinux, macosData Compressed - nix - zip

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.

zip #{output_file} #{input_files}

shlinux, macosData Compressed - nix - gzip Single File

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})

shlinux, macosData Compressed - nix - tar Folder or File

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

tar -cvzf #{output_file} #{input_file_folder}

shlinux, macosData Encrypted with zip and gpg symmetric

Encrypt data for exiltration

mkdir -p #{test_folder}
cd #{test_folder}; touch a b c d e f g
zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./*
echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip
ls -l #{test_folder}

bashlinux, macosEncrypts collected data with AES-256 and Base64

An adversary may compress all the collected data, encrypt and send them to a C2 server using base64 encoding. This atomic test tries to emulate the behaviour of the FLEXIROOT backdoor to archive the collected data. FLEXIROOT typically utilizes AES encryption and base64 encoding to transfer the encrypted data to the C2 server. In this test, standard zip compression and the OpenSSL library are used to encrypt the compressed data. https://attack.mitre.org/versions/v7/software/S0267/

zip -r  #{input_folder}/#{input_file}.zip #{input_folder}
openssl enc -aes-256-cbc -pass pass:#{enc_pass} -p -in #{input_folder}/#{input_file}.zip -out #{input_folder}/#{input_file}.enc 
cat #{input_folder}/#{input_file}.enc | base64

powershellelevatedwindowsESXi - Remove Syslog remote IP

An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM.

# Extract line with IP address from the syslog configuration output
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt

# Replace the IP with "0"
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt

# Extract the IP from the line extracted from findstr
$inputFilePath = "c:\temp\loghost.txt"
$outputFilePath = "c:\temp\loghost_ip.txt"

$fileContent = Get-Content -Path $inputFilePath -Raw

if ([string]::IsNullOrWhiteSpace($fileContent)) {
    Write-Host "The content is $fileContent"
    Write-Host "The file is empty"
} else {
    # Use a regular expression to extract IP addresses
    $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value
    
    $output = "esxcli system syslog config set --loghost=" + $ipAddresses

    $output | Out-File -FilePath $outputFilePath -Encoding ascii
    
    Write-Host "IP addresses extracted and saved to $outputFilePath"
}

command_promptwindowsCompress a File for Exfiltration using Makecab

An adversary may compress data using Makecab (in-built Windows binary) that is collected prior to exfiltration. [reference](https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/)

makecab.exe #{input_file} #{output_file}

powershellelevatedwindowsCopy and Compress AppData Folder

Copies the AppData folder, compresses it, and cleans up temporary files.

$AppData="$env:USERPROFILE\AppData"
$Copy="#{destination_folder}"
$Zip="#{zip_file_path}"

if (Test-Path $Copy) { Remove-Item $Copy -Recurse -Force }
New-Item -ItemType Directory -Path $Copy | Out-Null

Get-ChildItem $AppData -Recurse -Force | ForEach-Object {
  $rel = $_.FullName.Substring($AppData.Length + 1)
  $dest = Join-Path $Copy $rel
  if ($_.PSIsContainer) { New-Item -ItemType Directory -Path $dest -Force | Out-Null }
  else { Copy-Item $_.FullName -Destination $dest -Force -ErrorAction SilentlyContinue }
}

Add-Type -AssemblyName System.IO.Compression.FileSystem
[System.IO.Compression.ZipFile]::CreateFromDirectory($Copy, $Zip, [System.IO.Compression.CompressionLevel]::Optimal, $false)

▣

Mitigations

MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.

M1047Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements.

The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures. Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.

System Audit

Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits

Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits

Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits

Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits

Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

◈

Detection Coverage

2/6 layers

Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).

Behavioral / log (Sigma) 13

Analytics (MITRE CAR) 1

Runtime / container (Falco) none

File / malware (YARA) none

Network (Suricata/Snort) none

Vuln scan (Nuclei) none

◈

CAR Analytics

MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.

CAR-2013-07-005Moderate coverageCommand Line Usage of Archiving Software

Before exfiltrating data that an adversary has collected, it is very likely that a compressed archive will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored. In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "\ a \".

This is helpful, as adversaries may change program names.

pseudocode

processes = search Process:Create
rar_argument = filter processes where (command_line == "* a *")
output rar_argument

DNIF

_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.* a .*)i limit 100

LogPoint

norm_id=WindowsSysmon event_id=1 command="* a *"

▸

Caldera Emulation

MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.

collectionlinux, windowsCompress staged directory (Password Protected)

tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase #{host.archive.password} > #{host.dir.staged}.tar.gz.gpg && echo #{host.dir.staged}.tar.gz.gpg

exfiltrationlinux, windowsCompress Git Repository

tar -czf #{host.dir.git}.tar.gz -C "#{host.dir.git}" .; printf #{host.dir.git}.tar.gz;

exfiltrationdarwin, linux, windowsCompress staged directory

tar -P -zcf #{host.dir.staged}.tar.gz #{host.dir.staged} && echo #{host.dir.staged}.tar.gz

▣

Comply & Defend

NIST 800-53CM-02, RA-05, SC-07, SI-03, SI-04

D3FEND11 defensive techniques

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Atomic Red Team car (MITRE)

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin