ATTACK-T1560.001Active

Archive via Utility

Statement

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems.

On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. Remote Data Staging).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)

Location

Tactic: Collection

Technique Details

Identifier: ATTACK-T1560.001
Parent Technique: ATTACK-T1560
ATT&CK Page: View on MITRE

Tactics

Collection

Platforms

LinuxmacOSWindows

Detection

Detect Archiving via Utility (T1560.001)

Mitigations

Audit: Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

EquivalentPartialRelated

SP 800-53

SP800-53-CA-8relatedvia ctid-attack-to-sp800-53

SP800-53-RA-5relatedvia ctid-attack-to-sp800-53

SP800-53-SC-7relatedvia ctid-attack-to-sp800-53

SP800-53-SI-3relatedvia ctid-attack-to-sp800-53

SP800-53-SI-4relatedvia ctid-attack-to-sp800-53

View in graph Report an issue

← Back to Collection

System Audit:

Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

Archive via Utility

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings5

Archive via Utility

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings5