T1560.002 · threatengine.sh

Home/ATT&CK Technique/Archive via Library

ATT&CK Technique

Archive via Library

T1560.002 · collection

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile, libzip, and zlib. Most libraries include functionality to encrypt and/or compress data.

Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.

LinuxmacOSWindows

◆

Actors Using This

chinaAPT1
russia_speaking_organized_cybercrimeDarkSide / BlackMatter
north_koreaLazarus Group
russiaTurla

◈

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.

execution earlier

T1047 · Windows Management Instrumentation ×3.19

persistence earlier

T1547.009 · Shortcut Modification ×4.58 T1505 · Server Software Component ×3.05

privilege-escalation earlier

T1134.002 · Create Process with Token ×35.70 T1134 · Access Token Manipulation ×4.41 T1055.001 · Dynamic-link Library Injection ×3.80

credential-access earlier

T1003.002 · Security Account Manager ×4.35 T1110 · Brute Force ×3.09

discovery earlier

T1069.002 · Domain Groups ×11.90 T1049 · System Network Connections Discovery ×3.50 T1012 · Query Registry ×3.13

collection same

T1560.001 · Archive via Utility ×2.83

exfiltration later

T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ×4.67

impact later

T1485 · Data Destruction ×2.70

other same

T1070.006 · Timestomp ×6.16

▸

Atomic Tests

Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.

shlinuxCompressing data using GZip in Python (FreeBSD/Linux)

Uses GZip from Python to compress files

which_python=`which python || which python3`
$which_python -c "import gzip;input_file=open('#{path_to_input_file}', 'rb');content=input_file.read();input_file.close();output_file=gzip.GzipFile('#{path_to_output_file}','wb',compresslevel=6);output_file.write(content);output_file.close();"

shlinuxCompressing data using bz2 in Python (FreeBSD/Linux)

Uses bz2 from Python to compress files

which_python=`which python || which python3`
$which_python -c "import bz2;input_file=open('#{path_to_input_file}','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('#{path_to_output_file}','w+');output_file.write(str(bz2content));output_file.close();"

shlinuxCompressing data using zipfile in Python (FreeBSD/Linux)

Uses zipfile from Python to compress files

which_python=`which python || which python3`
$which_python -c "from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('#{path_to_input_file}')"

shlinuxCompressing data using tarfile in Python (FreeBSD/Linux)

Uses tarfile from Python to compress files

which_python=`which python || which python3`
$which_python -c "import tarfile; output_file = tarfile.open('#{path_to_output_file}','w'); output_file.add('#{path_to_input_file}'); output_file.close()"

◈

Detection Coverage

0/6 layers

Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).

Behavioral / log (Sigma) none

Analytics (MITRE CAR) none

Runtime / container (Falco) none

File / malware (YARA) none

Network (Suricata/Snort) none

Vuln scan (Nuclei) none

▣

Comply & Defend

D3FEND11 defensive techniques

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Atomic Red Team car (MITRE)

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin