# T1560 Archive Collected Data

-----------------------------------------------------------------------

## Technique Description

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.

## Technique Detection

Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.

A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.

Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)

-----------------------------------------------------------------------

### Tactics:

  *   Collection

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Process:** Process Creation

  * **Script:** Script Execution

  * **Command:** Command Execution

  * **File:** File Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Honeybee | [Honeybee](https://attack.mitre.org/groups/G0072) adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.(Citation: McAfee Honeybee)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has archived victim's data prior to exfiltration.(Citation: CISA AA21-200A APT40 July 2021)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s backdoor has used LZMA compression and RC4 encryption before exfiltration.(Citation: ESET OceanLotus Mar 2019)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has encrypted files and information before exfiltration.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) encrypted the collected files' path with AES and then encoded them with base64.(Citation: TrendMicro Patchwork Dec 2017)| 
| FIN6 | Following data collection, [FIN6](https://attack.mitre.org/groups/G0037) has compressed log files into a ZIP archive prior to staging and exfiltration.(Citation: FireEye FIN6 April 2016)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has compressed data into .zip files prior to exfiltration.(Citation: US-CERT TA18-074A)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. (Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: ESET Lazarus Jun 2020)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.(Citation: DOJ GRU Indictment Jul 2018)| 
| Ke3chang | The [Ke3chang](https://attack.mitre.org/groups/G0004) group has been known to compress data before exfiltration.(Citation: Mandiant Operation Ke3chang November 2014)| 
| Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has compressed and encrypted data prior to exfiltration.(Citation: Novetta-Axiom)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1560)

  * [Wikipedia File Header Signatures](https://en.wikipedia.org/wiki/List_of_file_signatures), Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries may use native, or publicly available tools to compress data to perform exfiltration of data. (Ex. Winzip, Winrar, 7zip, Tar)

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28,  Turla| 1, 2 | 1 |


## Detection Blindspots

- File extensions that do not end in a standard compressed file extension name will be difficult to detect.

## Analytical References

  * [ESET Sednit Part2 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf)
  * [Bears midst intrusion_Democratic National Committee (crowdstrike)](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes


#### Analytic 1

  * **Information:** Identify all file creations with compressed file types.

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_ID: 11 AND *.<compressed file extension here>```
  
  * **Query:** ```Event_ID: 1 AND *compression executable here*```

#### Analytic 2

  * **Information:** Idnetify compressed files in temp directories

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_ID: 11 AND *.<compressed file extension here> AND (C:\Windows\temp\* OR %APPDATA%\temp*)```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Suricata can be utilized to alert when these file types are mismatched.

#### Analytic 1

  * **Information:** Identify compressed files traversing the network over protocols like smb, ftp, telnet, http etc...

  * **Source:** PCAP

  * **Tool:** Kibana, Arkime

  * **Notes:** 

  * **Query:** ```smb.fn == *.<compression type here>```

  * **Query:** ```ftp.fn == *.<compression type here>```

  * **Query:** ```email.fn == *.<compression type here>```