T1560.002SubTechniquecollectionagent-callable

T1560.002Archive via Library

Sub-technique of T1560

Platforms: Linux · macOS · Windows

ATT&CK version: 14.1

What it is

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data. Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.

ATT&CK tactics· 1

Collection

References

  1. https://attack.mitre.org/techniques/T1560/002
  2. https://pypi.org/project/rarfile/
  3. https://libzip.org/
  4. https://github.com/madler/zlib
  5. https://en.wikipedia.org/wiki/List_of_file_signatures
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.