T1560.001 Archive via Utility
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar
on Linux and macOS or zip
on Windows systems.
On Windows, diantz
or makecab
may be used to package collected files into a cabinet (.cab) file. diantz
may also be used to download and compress files from remote locations (i.e. Remote Data Staging).4 xcopy
on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.
Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.312
Item | Value |
---|---|
ID | T1560.001 |
Sub-techniques | T1560.001, T1560.002, T1560.003 |
Tactics | TA0009 |
Platforms | Linux, Windows, macOS |
Version | 1.2 |
Created | 20 February 2020 |
Last Modified | 14 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0622 | AppleSeed | AppleSeed can zip and encrypt data collected on a target system.22 |
G0006 | APT1 | APT1 has used RAR to compress files before moving them outside of the victim network.61 |
G0007 | APT28 | APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.56 |
G0022 | APT3 | APT3 has used tools to compress data before exfilling it.45 |
G0064 | APT33 | APT33 has used WinRAR to compress data prior to exfil.49 |
G0087 | APT39 | APT39 has used WinRAR and 7-Zip to compress an archive stolen data.48 |
G0096 | APT41 | APT41 created a RAR archive of targeted files for exfiltration.53 |
G0143 | Aquatic Panda | Aquatic Panda has used WinRAR to compress memory dumps prior to exfiltration.66 |
G0060 | BRONZE BUTLER | BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.3435 |
S0274 | Calisto | Calisto uses the zip -r command to compress the data collected on the local system.1314 |
S1043 | ccf32 | ccf32 has used xcopy \\<target_host>\c$\users\public\path.7z c:\users\public\bin\<target_host>.7z /H /Y to archive collected files.12 |
S0160 | certutil | certutil may be used to Base64 encode collected data.98 |
G0114 | Chimera | Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.5455 |
G0052 | CopyKittens | CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.46 |
S0212 | CORALDECK | CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.18 |
S0538 | Crutch | Crutch has used the WinRAR utility to compress and encrypt stolen files.20 |
S0187 | Daserf | Daserf hides collected data in password-protected .rar archives.21 |
S0062 | DustySky | DustySky can compress files via RAR while staging data to be exfiltrated.16 |
G1006 | Earth Lusca | Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.63 |
G0061 | FIN8 | FIN8 has used RAR to compress collected data before exfiltration.47 |
G0117 | Fox Kitten | Fox Kitten has used 7-Zip to archive data.62 |
C0007 | FunnyDream | During FunnyDream, the threat actors used 7zr.exe to add collected files to an archive.12 |
G0093 | GALLIUM | GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.3738 |
G0084 | Gallmaker | Gallmaker has used WinZip, likely to archive data prior to exfiltration.57 |
G0125 | HAFNIUM | HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.5859 |
S1022 | IceApple | IceApple can encrypt and compress files using Gzip prior to exfiltration.24 |
S0278 | iKitten | iKitten will zip up the /Library/Keychains directory before exfiltrating it.31 |
S0260 | InvisiMole | InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.32 |
G0004 | Ke3chang | Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.5051 |
G0094 | Kimsuky | Kimsuky has used QuickZip to archive stolen files before exfiltration.36 |
G0059 | Magic Hound | Magic Hound has used gzip to archive dumped LSASS process memory and RAR to stage and compress local folders.444342 |
G0045 | menuPass | menuPass has compressed files before exfiltration using TAR and RAR.403941 |
S0339 | Micropsia | Micropsia creates a RAR archive based on collected files on the victim’s machine.30 |
G0069 | MuddyWater | MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.33 |
G0129 | Mustang Panda | Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.6465 |
S0340 | Octopus | Octopus has compressed data before exfiltrating it using a tool called Abbrevia.23 |
S0439 | Okrum | Okrum was seen using a RAR archiver tool to compress/decompress data.11 |
S0264 | OopsIE | OopsIE compresses collected files with GZipStream before sending them to its C2 server.19 |
C0012 | Operation CuckooBees | During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration.69 |
C0022 | Operation Dream Job | During Operation Dream Job, Lazarus Group archived victim’s data into a RAR file.73 |
C0006 | Operation Honeybee | During Operation Honeybee, the threat actors uses zip to pack collected files before exfiltration.68 |
C0014 | Operation Wocao | During Operation Wocao, threat actors archived collected files with WinRAR, prior to exfiltration.67 |
S0428 | PoetRAT | PoetRAT has the ability to compress files with zip.15 |
S0378 | PoshC2 | PoshC2 contains a module for compressing data using ZIP.10 |
S0441 | PowerShower | PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.17 |
S0196 | PUNCHBUGGY | PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.26 |
S0192 | Pupy | Pupy can compress data with Zip before sending it over C2.6 |
S0458 | Ramsay | Ramsay can compress and archive collected files using WinRAR.2829 |
S1040 | Rclone | Rclone can compress files using gzip prior to exfiltration.7 |
C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfltration; APT29 also compressed text files into zipped archives.707271 |
G0054 | Sowbug | Sowbug extracted documents and bundled them into a RAR archive.52 |
S0647 | Turian | Turian can use WinRAR to create a password-protected archive for files of interest.25 |
G0010 | Turla | Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.60 |
S0466 | WindTail | WindTail has the ability to use the macOS built-in zip utility to archive files.27 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1047 | Audit | System scans can be performed to identify unauthorized archival utilities. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Creation |
DS0009 | Process | Process Creation |
References
-
Corel Corporation. (2020). WinZip. Retrieved February 20, 2020. ↩
-
Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021. ↩
-
Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016. ↩
-
Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022. ↩
-
Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017. ↩
-
Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. ↩
-
Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. ↩
-
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. ↩↩
-
Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. ↩
-
Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018. ↩
-
Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. ↩
-
GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. ↩
-
GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. ↩
-
FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. ↩
-
Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. ↩
-
Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. ↩
-
DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018. ↩
-
Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. ↩
-
Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. ↩
-
CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. ↩
-
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 ↩
-
Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. ↩
-
Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 2). Retrieved October 3, 2019. ↩
-
Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. ↩
-
Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. ↩
-
Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. ↩
-
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. ↩
-
Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. ↩
-
Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. ↩
-
Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. ↩
-
Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. ↩
-
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. ↩
-
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. ↩
-
MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. ↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. ↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. ↩
-
Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. ↩
-
DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. ↩
-
DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. ↩
-
Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. ↩
-
valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017. ↩
-
ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. ↩
-
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. ↩
-
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. ↩
-
Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. ↩
-
Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. ↩
-
MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. ↩
-
Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. ↩
-
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩
-
Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. ↩
-
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. ↩
-
NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. ↩
-
Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018. ↩
-
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. ↩
-
Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. ↩
-
Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. ↩
-
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. ↩
-
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
-
Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. ↩
-
Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. ↩
-
Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩
-
Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. ↩
-
Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. ↩
-
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. ↩
-
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. ↩
-
MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩