Description
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems.
On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging).(Citation: diantz.exe_lolbas) xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.
Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
Platforms
Mitigations (1)
AuditM1047
System scans can be performed to identify unauthorized archival utilities.
Threat Groups (39)
| ID | Group | Context |
|---|---|---|
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used 7-Zip and WinRAR to compress stolen files for exfiltration.(Citation: Microsoft HAFNIUM Marc... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has compressed files before exfiltration using TAR and RAR.(Citation: PWC Cloud Hopper April 2017)(C... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has archived data into ZIP files on compromised machines.(Citation: Mandiant FIN12 Oct 2021) |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used WinRAR to compress data prior to exfil.(Citation: Symantec Elfin Mar 2019) |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used 7-Zip to archive data.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
| G0052 | CopyKittens | [CopyKittens](https://attack.mitre.org/groups/G0052) uses ZPP, a .NET console program, to compress files with ZIP.(Citation: ClearSky Wilted Tulip Jul... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has archived the ntds.dit database as a multi-volume password-protected archive with 7-Zip.(Cita... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) has used RAR to compress files before moving them outside of the victim network.(Citation: Mandiant APT1... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used RAR to create password-protected archives of collected documents prior to exfiltration... |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) has used WinRAR to compress files prior to exfiltration.(Citation: CISA Play Ransomware Advisory Decemb... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.(Citation: Cy... |
| G0084 | Gallmaker | [Gallmaker](https://attack.mitre.org/groups/G0084) has used WinZip, likely to archive data prior to exfiltration.(Citation: Symantec Gallmaker Oct 201... |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) used the tar utility to create a local archive of email data on a victim system.(Citation: Hunt Se... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used WinRAR and 7-Zip to compress an archive stolen data.(Citation: FireEye APT39 Jan 2019) |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has downloaded 7-Zip to decompress password protected archives.(Citation: trendmicro_redcurl) |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has used the JAR/ZIP file format for exfiltrated files.(Citation: Mandiant Pulse Secure Update May 2021) |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) used 7zip to archive extracted data in preparation for exfiltration.(Citation: Unit42 Agrius 2023) |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used WinRAR to compress and encrypt stolen data prior to exfiltration.(Citation: Cybereason Soft Cell... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) created a RAR archive of targeted files for exfiltration.(Citation: FireEye APT41 Aug 2019) Additionall... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to ... |
Associated Software (34)
| ID | Name | Type | Context |
|---|---|---|---|
| S0538 | Crutch | Malware | [Crutch](https://attack.mitre.org/software/S0538) has used the WinRAR utility to compress and encrypt stolen files.(Citation: ESET Crutch December 202... |
| S0439 | Okrum | Malware | [Okrum](https://attack.mitre.org/software/S0439) was seen using a RAR archiver tool to compress/decompress data.(Citation: ESET Okrum July 2019) |
| S0160 | certutil | Tool | [certutil](https://attack.mitre.org/software/S0160) may be used to Base64 encode collected data.(Citation: TechNet Certutil)(Citation: LOLBAS Certutil... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has archived collected files within a zip file prior to exfiltration to include `/tmp/out.zip`.(C... |
| S1043 | ccf32 | Malware | [ccf32](https://attack.mitre.org/software/S1043) has used `xcopy \\<target_host>\c$\users\public\path.7z c:\users\public\bin\<target_host>.7z /H /Y` t... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) uses WinRAR to compress data that is intended to be exfiltrated.(Citation: ESET InvisiMole June ... |
| S0062 | DustySky | Malware | [DustySky](https://attack.mitre.org/software/S0062) can compress files via RAR while staging data to be exfiltrated.(Citation: Kaspersky MoleRATs Apri... |
| S0187 | Daserf | Malware | [Daserf](https://attack.mitre.org/software/S0187) hides collected data in password-protected .rar archives.(Citation: Symantec Tick Apr 2016) |
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can create a ZIP archive with specified files and directories.(Citation: ESET Turla Lunar toolset ... |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) contains a module for compressing data using ZIP.(Citation: GitHub PoshC2) |
| S1168 | SampleCheck5000 | Malware | [SampleCheck5000](https://attack.mitre.org/software/S1168) can gzip compress files uploaded to a shared mailbox used for C2 and exfiltration.(Citation... |
| S1246 | BeaverTail | Malware | [BeaverTail](https://attack.mitre.org/software/S1246) has collected and archived sensitive data in a zip file.(Citation: Socket BeaverTail XORIndex He... |
| S0196 | PUNCHBUGGY | Malware | [PUNCHBUGGY](https://attack.mitre.org/software/S0196) has Gzipped information and saved it to a random temp file before exfil.(Citation: Morphisec She... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) can compress and archive collected files using WinRAR.(Citation: Eset Ramsay May 2020)(Citation: Ant... |
| S0647 | Turian | Malware | [Turian](https://attack.mitre.org/software/S0647) can use WinRAR to create a password-protected archive for files of interest.(Citation: ESET Backdoor... |
| S1022 | IceApple | Malware | [IceApple](https://attack.mitre.org/software/S1022) can encrypt and compress files using Gzip prior to exfiltration.(Citation: CrowdStrike IceApple Ma... |
| S0278 | iKitten | Malware | [iKitten](https://attack.mitre.org/software/S0278) will zip up the /Library/Keychains directory before exfiltrating it.(Citation: objsee mac malware 2... |
| S0466 | WindTail | Malware | [WindTail](https://attack.mitre.org/software/S0466) has the ability to use the macOS built-in zip utility to archive files.(Citation: objective-see wi... |
| S0212 | CORALDECK | Malware | [CORALDECK](https://attack.mitre.org/software/S0212) has created password-protected RAR, WinImage, and zip archives to be exfiltrated.(Citation: FireE... |
| S0339 | Micropsia | Malware | [Micropsia](https://attack.mitre.org/software/S0339) creates a RAR archive based on collected files on the victim's machine.(Citation: Radware Microps... |
References
- A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.
- Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.
- I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.
- Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021.
- Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.
Frequently Asked Questions
What is T1560.001 (Archive via Utility)?
T1560.001 is a MITRE ATT&CK technique named 'Archive via Utility'. It belongs to the Collection tactic(s). Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that...
How can T1560.001 be detected?
Detection of T1560.001 (Archive via Utility) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1560.001?
There are 1 documented mitigations for T1560.001. Key mitigations include: Audit.
Which threat groups use T1560.001?
Known threat groups using T1560.001 include: HAFNIUM, menuPass, Wizard Spider, APT33, Fox Kitten, CopyKittens, Volt Typhoon, APT1.