{
"type": "bundle",
"id": "bundle--ffe10296-7286-435d-baea-d8e0cb7a1325",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-04-14T19:28:21.394Z",
"name": "Archive via Utility",
"description": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.\n\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. \n\nOn Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. \n\nAdversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_contributors": [
"Mayan Arora aka Mayan Mohan",
"Mark Wee"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"File: File Creation",
"Process: Process Creation",
"Command: Command Execution"
],
"type": "attack-pattern",
"id": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662",
"created": "2020-02-20T21:01:25.428Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1560/001",
"external_id": "T1560.001"
},
{
"source_name": "WinRAR Homepage",
"description": "A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.",
"url": "https://www.rarlab.com/"
},
{
"source_name": "WinZip Homepage",
"description": "Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.",
"url": "https://www.winzip.com/win/en/"
},
{
"source_name": "7zip Homepage",
"description": "I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.",
"url": "https://www.7-zip.org/"
},
{
"source_name": "diantz.exe_lolbas",
"description": "Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021.",
"url": "https://lolbas-project.github.io/lolbas/Binaries/Diantz/"
},
{
"source_name": "Wikipedia File Header Signatures",
"description": "Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.",
"url": "https://en.wikipedia.org/wiki/List_of_file_signatures"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
]
}