# T1560.001 Archive via Utility

-----------------------------------------------------------------------

## Technique Description

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems. On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) Additionally, <code>xcopy</code> on Windows can copy files and directories with a variety of options.

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)

## Technique Detection

Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.

Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)

-----------------------------------------------------------------------

### Tactics:

  *   Collection

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **File:** File Creation

  * **Process:** Process Creation

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has used WinRAR to compress memory dumps prior to exfiltration.(Citation: CrowdStrike AQUATIC PANDA December 2021)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used RAR to create password-protected archives of collected documents prior to exfiltration.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020)| 
| HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used 7-Zip and WinRAR to compress stolen files for exfiltration.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used 7-Zip to archive data.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has archived collected files with WinRAR, prior to exfiltration.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) created a RAR archive of targeted files for exfiltration.(Citation: FireEye APT41 Aug 2019)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used QuickZip to archive stolen files before exfiltration.(Citation: Talos Kimsuky Nov 2021)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used WinRAR to compress and encrypt stolen data prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used WinRAR and 7-Zip to compress an archive stolen data.(Citation: FireEye APT39 Jan 2019)| 
| Gallmaker | [Gallmaker](https://attack.mitre.org/groups/G0084) has used WinZip, likely to archive data prior to exfiltration.(Citation: Symantec Gallmaker Oct 2018)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.(Citation: Symantec MuddyWater Dec 2018)| 
| APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used WinRAR to compress data prior to exfil.(Citation: Symantec Elfin Mar 2019)	
| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used RAR to compress collected data before exfiltration.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)| 
| Sowbug | [Sowbug](https://attack.mitre.org/groups/G0054) extracted documents and bundled them into a RAR archive.(Citation: Symantec Sowbug Nov 2017)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used RAR to stage and compress local folders.(Citation: FireEye APT35 2018)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has compressed data into password-protected RAR archives prior to exfiltration.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)| 
| CopyKittens | [CopyKittens](https://attack.mitre.org/groups/G0052) uses ZPP, a .NET console program, to compress files with ZIP.(Citation: ClearSky Wilted Tulip July 2017)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has compressed files before exfiltration using TAR and RAR.(Citation: PWC Cloud Hopper April 2017)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Symantec Cicada November 2020)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has used tools to compress data before exfilling it.(Citation: aptsim)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: CrowdStrike StellarParticle January 2022)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has encrypted files stolen from connected USB drives into a RAR file before exfiltration.(Citation: Symantec Waterbug Jun 2019)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used a variety of utilities, including WinRAR, to archive collected data with password protection.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) has used RAR to compress files before moving them outside of the victim network.(Citation: Mandiant APT1)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1560/001)

  * [Winrar Homepage](https://www.rarlab.com/), A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.

  * [Winzip Homepage](https://www.winzip.com/win/en/), Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.

  * [7Zip Homepage](https://www.7-zip.org/), I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.

  * [Diantz.Exe_Lolbas](https://lolbas-project.github.io/lolbas/Binaries/Diantz/), Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021.

  * [Wikipedia File Header Signatures](https://en.wikipedia.org/wiki/List_of_file_signatures), Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries may use native, or publicly available tools to compress data to perform exfiltration of data. (Ex. Winzip, Winrar, 7zip, Tar)

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28,  Turla| 1, 2 | 1 |


## Detection Blindspots

- File extensions that do not end in a standard compressed file extension name will be difficult to detect.

## Analytical References

  * [ESET Sednit Part2 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf)
  * [Bears midst intrusion_Democratic National Committee (crowdstrike)](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes



#### Analytic 1

  * **Information:** Identify all file creations with compressed file types.

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_ID: 11 AND *.<compressed file extension here>```
  
  * **Query:** ```Event_ID: 1 AND *compression executable here*```

#### Analytic 2

  * **Information:** Idnetify compressed files in temp directories

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_ID: 11 AND *.<compressed file extension here> AND (C:\Windows\temp\* OR %APPDATA%\temp*)```


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------


- Suricata can be utilized to alert when these file types are mismatched.

#### Analytic 1

  * **Information:** Identify compressed files traversing the network over protocols like smb, ftp, telnet, http etc...

  * **Source:** PCAP

  * **Tool:** Kibana, Arkime

  * **Notes:** 

  * **Query:** ```smb.fn == *.<compression type here>```

  * **Query:** ```ftp.fn == *.<compression type here>```

  * **Query:** ```email.fn == *.<compression type here>```
 