cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662.json

{
    "type": "bundle",
    "id": "bundle--ffe10296-7286-435d-baea-d8e0cb7a1325",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-04-14T19:28:21.394Z",
            "name": "Archive via Utility",
            "description": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.\n\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems. \n\nOn Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. \n\nAdversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "collection"
                }
            ],
            "x_mitre_contributors": [
                "Mayan Arora aka Mayan Mohan",
                "Mark Wee"
            ],
            "x_mitre_deprecated": false,
            "x_mitre_detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": true,
            "x_mitre_platforms": [
                "Linux",
                "macOS",
                "Windows"
            ],
            "x_mitre_version": "1.2",
            "x_mitre_data_sources": [
                "File: File Creation",
                "Process: Process Creation",
                "Command: Command Execution"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662",
            "created": "2020-02-20T21:01:25.428Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1560/001",
                    "external_id": "T1560.001"
                },
                {
                    "source_name": "WinRAR Homepage",
                    "description": "A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.",
                    "url": "https://www.rarlab.com/"
                },
                {
                    "source_name": "WinZip Homepage",
                    "description": "Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.",
                    "url": "https://www.winzip.com/win/en/"
                },
                {
                    "source_name": "7zip Homepage",
                    "description": "I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.",
                    "url": "https://www.7-zip.org/"
                },
                {
                    "source_name": "diantz.exe_lolbas",
                    "description": "Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021.",
                    "url": "https://lolbas-project.github.io/lolbas/Binaries/Diantz/"
                },
                {
                    "source_name": "Wikipedia File Header Signatures",
                    "description": "Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.",
                    "url": "https://en.wikipedia.org/wiki/List_of_file_signatures"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}