test_scratch
/
cti-ATT-CK-v13.1
/enterprise-attack
/attack-pattern
/attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662.json
{ | |
"type": "bundle", | |
"id": "bundle--ffe10296-7286-435d-baea-d8e0cb7a1325", | |
"spec_version": "2.0", | |
"objects": [ | |
{ | |
"modified": "2023-04-14T19:28:21.394Z", | |
"name": "Archive via Utility", | |
"description": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.\n\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems. \n\nOn Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. \n\nAdversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)", | |
"kill_chain_phases": [ | |
{ | |
"kill_chain_name": "mitre-attack", | |
"phase_name": "collection" | |
} | |
], | |
"x_mitre_contributors": [ | |
"Mayan Arora aka Mayan Mohan", | |
"Mark Wee" | |
], | |
"x_mitre_deprecated": false, | |
"x_mitre_detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)", | |
"x_mitre_domains": [ | |
"enterprise-attack" | |
], | |
"x_mitre_is_subtechnique": true, | |
"x_mitre_platforms": [ | |
"Linux", | |
"macOS", | |
"Windows" | |
], | |
"x_mitre_version": "1.2", | |
"x_mitre_data_sources": [ | |
"File: File Creation", | |
"Process: Process Creation", | |
"Command: Command Execution" | |
], | |
"type": "attack-pattern", | |
"id": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662", | |
"created": "2020-02-20T21:01:25.428Z", | |
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
"revoked": false, | |
"external_references": [ | |
{ | |
"source_name": "mitre-attack", | |
"url": "https://attack.mitre.org/techniques/T1560/001", | |
"external_id": "T1560.001" | |
}, | |
{ | |
"source_name": "WinRAR Homepage", | |
"description": "A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.", | |
"url": "https://www.rarlab.com/" | |
}, | |
{ | |
"source_name": "WinZip Homepage", | |
"description": "Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.", | |
"url": "https://www.winzip.com/win/en/" | |
}, | |
{ | |
"source_name": "7zip Homepage", | |
"description": "I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.", | |
"url": "https://www.7-zip.org/" | |
}, | |
{ | |
"source_name": "diantz.exe_lolbas", | |
"description": "Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021.", | |
"url": "https://lolbas-project.github.io/lolbas/Binaries/Diantz/" | |
}, | |
{ | |
"source_name": "Wikipedia File Header Signatures", | |
"description": "Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.", | |
"url": "https://en.wikipedia.org/wiki/List_of_file_signatures" | |
} | |
], | |
"object_marking_refs": [ | |
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" | |
], | |
"x_mitre_attack_spec_version": "3.1.0", | |
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" | |
} | |
] | |
} |