# T1560.001 - Archive Collected Data: Archive via Utility
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.

Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems.

## Atomic Tests

In [None]:
#Import the Module before running the tests.
# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.
Import-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force

### Atomic Test #1 - Compress Data for Exfiltration With Rar
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.
When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory 

**Supported Platforms:** windows
#### Dependencies:  Run with `None`!
##### Description: Rar tool must be installed at specified location (#{rar_exe})

##### Check Prereq Commands:
```None
if not exist "%programfiles%/WinRAR/Rar.exe" (exit /b 1)

```
##### Get Prereq Commands:
```None
echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" %TEMP%\winrar.exe
echo Follow the installer prompts to install Winrar
%TEMP%\winrar.exe

```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 1 -GetPreReqs

#### Attack Commands: Run with `command_prompt`
```command_prompt
"%programfiles%/WinRAR/Rar.exe" a -r %USERPROFILE%\T1560.001-data.rar %USERPROFILE%\*.txt
```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 1

### Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar
Note: Requires winrar installation
rar a -p"blue" hello.rar (VARIANT)

**Supported Platforms:** windows
#### Attack Commands: Run with `command_prompt`
```command_prompt
mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
rar a -hp"blue" hello.rar
dir
```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 2

### Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip
Note: Requires winzip installation
wzzip sample.zip -s"blueblue" *.txt (VARIANT)

**Supported Platforms:** windows
#### Dependencies:  Run with `powershell`!
##### Description: Winzip must be installed

##### Check Prereq Commands:
```powershell
cmd /c 'if not exist "%ProgramFiles%\WinZip\winzip64.exe" (echo 1) else (echo 0)'

```
##### Get Prereq Commands:
```powershell
if(Invoke-WebRequestVerifyHash "https://download.winzip.com/gl/nkln/winzip24-home.exe" "$env:Temp\winzip.exe" B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB){
  Write-Host Follow the installation prompts to continue
  cmd /c "$env:Temp\winzip.exe"
}

```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 3 -GetPreReqs

#### Attack Commands: Run with `command_prompt`
```command_prompt
path=%path%;"C:\Program Files (x86)\winzip"
mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"%ProgramFiles%\WinZip\winzip64.exe" -min -a -s"hello" archive.zip *
dir
```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 3

### Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip
Note: Requires 7zip installation

**Supported Platforms:** windows
#### Attack Commands: Run with `command_prompt`
```command_prompt
mkdir $PathToAtomicsFolder\T1560.001\victim-files
cd $PathToAtomicsFolder\T1560.001\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
7z a archive.7z -pblue
dir
```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 4

### Atomic Test #5 - Data Compressed - nix - zip
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.

**Supported Platforms:** linux, macos
#### Dependencies:  Run with `None`!
##### Description: Files to zip must exist (#{input_files})

##### Check Prereq Commands:
```None
if [ $(ls $HOME/*.txt | wc -l) > 0 ]; then exit 0; else exit 1; fi;

```
##### Get Prereq Commands:
```None
echo Please set input_files argument to include files that exist

```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 5 -GetPreReqs

#### Attack Commands: Run with `sh`
```sh
zip $HOME/data.zip $HOME/*.txt
```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 5

### Atomic Test #6 - Data Compressed - nix - gzip Single File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

**Supported Platforms:** linux, macos
#### Attack Commands: Run with `sh`
```sh
test -e $HOME/victim-gzip.txt && gzip -k $HOME/victim-gzip.txt || (echo 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101' >> $HOME/victim-gzip.txt; gzip -k $HOME/victim-gzip.txt)
```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 6

### Atomic Test #7 - Data Compressed - nix - tar Folder or File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

**Supported Platforms:** linux, macos
#### Dependencies:  Run with `None`!
##### Description: Folder to zip must exist (#{input_file_folder})

##### Check Prereq Commands:
```None
test -e $HOME/$USERNAME

```
##### Get Prereq Commands:
```None
echo Please set input_file_folder argument to a folder that exists

```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 7 -GetPreReqs

#### Attack Commands: Run with `sh`
```sh
tar -cvzf $HOME/data.tar.gz $HOME/$USERNAME
```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 7

### Atomic Test #8 - Data Encrypted with zip and gpg symmetric
Encrypt data for exiltration

**Supported Platforms:** macos, linux
#### Dependencies:  Run with `sh`!
##### Description: gpg and zip are required to run the test.
##### Check Prereq Commands:
```sh
if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi;

```
##### Get Prereq Commands:
```sh
echo "Install gpg and zip to run the test"; exit 1;

```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 8 -GetPreReqs

#### Attack Commands: Run with `sh`
```sh
mkdir -p /tmp/T1560
cd /tmp/T1560; touch a b c d e f g
zip --password "InsertPasswordHere" /tmp/T1560/T1560 ./*
echo "InsertPasswordHere" | gpg --batch --yes --passphrase-fd 0 --output /tmp/T1560/T1560.zip.gpg -c /tmp/T1560/T1560.zip
ls -l /tmp/T1560
```

In [None]:
Invoke-AtomicTest T1560.001 -TestNumbers 8

## Detection
Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.

Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)