T1560.001SubTechniquecollectionagent-callable

T1560.001Archive via Utility

Sub-technique of T1560

Platforms: Linux · macOS · Windows

ATT&CK version: 14.1

What it is

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems. On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)

ATT&CK tactics· 1

Collection

References

  1. https://attack.mitre.org/techniques/T1560/001
  2. https://www.rarlab.com/
  3. https://www.winzip.com/win/en/
  4. https://www.7-zip.org/
  5. https://lolbas-project.github.io/lolbas/Binaries/Diantz/
  6. https://en.wikipedia.org/wiki/List_of_file_signatures
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1560.001: Archive via Utility | SQUR Knowledge Base