Description
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
Platforms
Sub-Techniques (3)
Mitigations (1)
AuditM1047
System scans can be performed to identify unauthorized archival utilities.
Threat Groups (13)
| ID | Group | Context |
|---|---|---|
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has compressed data into .zip files prior to exfiltration.(Citation: US-CERT TA18-074A) |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) encrypted the collected files' path with AES and then encoded them with base64.(Citation: TrendMicr... |
| G0001 | Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has compressed and encrypted data prior to exfiltration.(Citation: Novetta-Axiom) |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has compressed collected data prior to exfiltration.(Citation: CISA GRU29155 2024) |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) compressed data collected from victim environments prior to exfiltration.(Citation: Picus BlackByte... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified direc... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.(... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s backdoor has used LZMA compression and RC4 encryption before exfiltration.(Citation: ESET OceanLotus ... |
| G0037 | FIN6 | Following data collection, [FIN6](https://attack.mitre.org/groups/G0037) has compressed log files into a ZIP archive prior to staging and exfiltration... |
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has manually archived stolen files from victim machines before exfiltration.(Citation: Bitdefend... |
| G0004 | Ke3chang | The [Ke3chang](https://attack.mitre.org/groups/G0004) group has been known to compress data before exfiltration.(Citation: Mandiant Operation Ke3chang... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has encrypted files and information before exfiltration.(Citation: DOJ APT10 Dec 2018)(Citation: Dis... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has archived victim's data prior to exfiltration.(Citation: CISA AA21-200A APT40 July 2021) |
Associated Software (43)
| ID | Name | Type | Context |
|---|---|---|---|
| S0667 | Chrommme | Malware | [Chrommme](https://attack.mitre.org/software/S0667) can encrypt and store on disk collected data before exfiltration.(Citation: ESET Gelsemium June 20... |
| S0343 | Exaramel for Windows | Malware | [Exaramel for Windows](https://attack.mitre.org/software/S0343) automatically encrypts files before sending them to the C2 server.(Citation: ESET Tele... |
| S0586 | TAINTEDSCRIBE | Malware | [TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) has used <code>FileReadZipSend</code> to compress a file and send to C2.(Citation: CISA MAR-1... |
| S1101 | LoFiSe | Malware | [LoFiSe](https://attack.mitre.org/software/S1101) can collect files into password-protected ZIP-archives for exfiltration.(Citation: Kaspersky ToddyCa... |
| S0521 | BloodHound | Tool | [BloodHound](https://attack.mitre.org/software/S0521) can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.(Ci... |
| S0045 | ADVSTORESHELL | Malware | [ADVSTORESHELL](https://attack.mitre.org/software/S0045) encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.(Citation: ESET Se... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can ZIP directories on the target system.(Citation: Github PowerShell Empire) |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) can compress data stolen from the Registry and volume shadow copies prior to exfiltration.(Citati... |
| S0515 | WellMail | Malware | [WellMail](https://attack.mitre.org/software/S0515) can archive files on the compromised host.(Citation: CISA WellMail July 2020) |
| S9032 | MuddyViper | Malware | [MuddyViper](https://attack.mitre.org/software/S9032) has archived collected web browser data into a file named CacheDump.zip.(Citation: ESET_MuddyWat... |
| S0454 | Cadelspy | Malware | [Cadelspy](https://attack.mitre.org/software/S0454) has the ability to compress stolen data into a .cab file.(Citation: Symantec Chafer Dec 2015) |
| S1140 | Spica | Malware | [Spica](https://attack.mitre.org/software/S1140) can archive collected documents for exfiltration.(Citation: Google TAG COLDRIVER January 2024) |
| S0395 | LightNeuron | Malware | [LightNeuron](https://attack.mitre.org/software/S0395) contains a function to encrypt and store emails that it collects.(Citation: ESET LightNeuron Ma... |
| S1196 | Troll Stealer | Malware | [Troll Stealer](https://attack.mitre.org/software/S1196) compresses stolen data prior to exfiltration.(Citation: S2W Troll Stealer 2024) |
| S0257 | VERMIN | Malware | [VERMIN](https://attack.mitre.org/software/S0257) encrypts the collected files using 3-DES.(Citation: Unit 42 VERMIN Jan 2018) |
| S9036 | LP-Notes | Malware | [LP-Notes](https://attack.mitre.org/software/S9036) has encrypted collected credentials using AES-CBC from the CNG API and the key ED15C8344B45DAED1E0... |
| S0445 | ShimRatReporter | Tool | [ShimRatReporter](https://attack.mitre.org/software/S0445) used LZ compression to compress initial reconnaissance reports before sending to the C2.(Ci... |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) will compress entire <code>~/Desktop</code> folders excluding all <code>.git</code> folders, but onl... |
| S0249 | Gold Dragon | Malware | [Gold Dragon](https://attack.mitre.org/software/S0249) encrypts data using Base64 before being sent to the command and control server.(Citation: McAfe... |
| S0356 | KONNI | Malware | [KONNI](https://attack.mitre.org/software/S0356) has encrypted data and files prior to exfiltration.(Citation: Malwarebytes Konni Aug 2021) |
References
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
- Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.
Frequently Asked Questions
What is T1560 (Archive Collected Data)?
T1560 is a MITRE ATT&CK technique named 'Archive Collected Data'. It belongs to the Collection tactic(s). An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the netwo...
How can T1560 be detected?
Detection of T1560 (Archive Collected Data) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1560?
There are 1 documented mitigations for T1560. Key mitigations include: Audit.
Which threat groups use T1560?
Known threat groups using T1560 include: Dragonfly, Patchwork, Axiom, Ember Bear, BlackByte, Lazarus Group, APT28, APT32.