Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar
on Linux and macOS or zip
on Windows systems.
On Windows, diantz
or makecab
may be used to package collected files into a cabinet (.cab) file. diantz
may also be used to download and compress files from remote locations (i.e. Remote Data Staging).(Citation: diantz.exe_lolbas) xcopy
on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.
Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) | Attack Pattern | Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) | Attack Pattern | 1 |