Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Архивация с помощью утилиты
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Архивация с помощью утилиты
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Archive Collected Data:  Архивация с помощью утилиты

ID Название
.001 Архивация с помощью утилиты
.002 Архивация с помощью библиотеки
.003 Архивация с помощью специального метода

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging).(Citation: diantz.exe_lolbas) Additionally, xcopy on Windows can copy files and directories with a variety of options. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)

ID: T1560.001
Относится к технике:  T1560
Тактика(-и): Collection
Платформы: Linux, macOS, Windows
Источники данных: Command: Command Execution, File: File Creation, Process: Process Creation
Версия: 1.1
Дата создания: 20 Feb 2020
Последнее изменение: 20 Apr 2022

Примеры процедур
Название Описание
Crutch

Crutch has used the WinRAR utility to compress and encrypt stolen files.(Citation: ESET Crutch December 2020)
Okrum

Okrum was seen using a RAR archiver tool to compress/decompress data.(Citation: ESET Okrum July 2019)
HAFNIUM

HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)

During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration.(Citation: Cybereason OperationCuckooBees May 2022)
menuPass

menuPass has compressed files before exfiltration using TAR and RAR.(Citation: PWC Cloud Hopper April 2017)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Symantec Cicada November 2020)
UNC2452

UNC2452 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021)
APT33

APT33 has used WinRAR to compress data prior to exfil.(Citation: Symantec Elfin Mar 2019)

APT29

APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration; APT29 has also compressed text files into zipped archives.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: CrowdStrike StellarParticle January 2022)
ccf32

ccf32 has used `xcopy \\\c$\users\public\path.7z c:\users\public\bin\.7z /H /Y` to archive collected files.(Citation: Bitdefender FunnyDream Campaign November 2020)
Fox Kitten

Fox Kitten has used 7-Zip to archive data.(Citation: CISA AA20-259A Iran-Based Actor September 2020)
CopyKittens

CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.(Citation: ClearSky Wilted Tulip July 2017)
InvisiMole

InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.(Citation: ESET InvisiMole June 2018)
APT1

APT1 has used RAR to compress files before moving them outside of the victim network.(Citation: Mandiant APT1)
Mustang Panda

Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020)
Chimera

Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
DustySky

DustySky can compress files via RAR while staging data to be exfiltrated.(Citation: Kaspersky MoleRATs April 2019)
Gallmaker

Gallmaker has used WinZip, likely to archive data prior to exfiltration.(Citation: Symantec Gallmaker Oct 2018)
Daserf

Daserf hides collected data in password-protected .rar archives.(Citation: Symantec Tick Apr 2016)
APT39

APT39 has used WinRAR and 7-Zip to compress an archive stolen data.(Citation: FireEye APT39 Jan 2019)
PoshC2

PoshC2 contains a module for compressing data using ZIP.(Citation: GitHub PoshC2)

During Operation Wocao, threat actors archived collected files with WinRAR, prior to exfiltration.(Citation: FoxIT Wocao December 2019)
PUNCHBUGGY

PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.(Citation: Morphisec ShellTea June 2019)

Ramsay

Ramsay can compress and archive collected files using WinRAR.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

During FunnyDream, the threat actors used 7zr.exe to add collected files to an archive.(Citation: Bitdefender FunnyDream Campaign November 2020)
Turian

Turian can use WinRAR to create a password-protected archive for files of interest.(Citation: ESET BackdoorDiplomacy Jun 2021)
GALLIUM

GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)
APT41

APT41 created a RAR archive of targeted files for exfiltration.(Citation: FireEye APT41 Aug 2019)
IceApple

IceApple can encrypt and compress files using Gzip prior to exfiltration.(Citation: CrowdStrike IceApple May 2022)
MuddyWater

MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.(Citation: Symantec MuddyWater Dec 2018)
APT28

APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
iKitten

iKitten will zip up the /Library/Keychains directory before exfiltrating it.(Citation: objsee mac malware 2017)
WindTail

WindTail has the ability to use the macOS built-in zip utility to archive files.(Citation: objective-see windtail2 jan 2019)
Turla

Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.(Citation: Symantec Waterbug Jun 2019)
CORALDECK

CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.(Citation: FireEye APT37 Feb 2018)
Sowbug

Sowbug extracted documents and bundled them into a RAR archive.(Citation: Symantec Sowbug Nov 2017)
Micropsia

Micropsia creates a RAR archive based on collected files on the victim's machine.(Citation: Radware Micropsia July 2018)

During Operation Honeybee, the threat actors uses zip to pack collected files before exfiltration.(Citation: McAfee Honeybee)
BRONZE BUTLER

BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)
Octopus

Octopus has compressed data before exfiltrating it using a tool called Abbrevia.(Citation: ESET Nomadic Octopus 2018)

Kimsuky

Kimsuky has used QuickZip to archive stolen files before exfiltration.(Citation: Talos Kimsuky Nov 2021)
APT3

APT3 has used tools to compress data before exfilling it.(Citation: aptsim)
OopsIE

OopsIE compresses collected files with GZipStream before sending them to its C2 server.(Citation: Unit 42 OopsIE! Feb 2018)
FIN8

FIN8 has used RAR to compress collected data before exfiltration.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
Ke3chang

Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021)
Calisto

Calisto uses the zip -r command to compress the data collected on the local system.(Citation: Securelist Calisto July 2018)(Citation: Symantec Calisto July 2018)
Earth Lusca

Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.(Citation: TrendMicro EarthLusca 2022)
Operation Wocao

Operation Wocao has archived collected files with WinRAR, prior to exfiltration.(Citation: FoxIT Wocao December 2019)
Pupy

Pupy can compress data with Zip before sending it over C2.(Citation: GitHub Pupy)
Rclone

Rclone can compress files using `gzip` prior to exfiltration.(Citation: Rclone)
Magic Hound

Magic Hound has used gzip to archive dumped LSASS process memory and RAR to stage and compress local folders.(Citation: FireEye APT35 2018)(Citation: DFIR Report APT35 ProxyShell March 2022)
PowerShower

PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.(Citation: Kaspersky Cloud Atlas August 2019)
AppleSeed

AppleSeed can zip and encrypt data collected on a target system.(Citation: Malwarebytes Kimsuky June 2021)
Aquatic Panda

Aquatic Panda has used WinRAR to compress memory dumps prior to exfiltration.(Citation: CrowdStrike AQUATIC PANDA December 2021)
PoetRAT

PoetRAT has the ability to compress files with zip.(Citation: Talos PoetRAT April 2020)

Контрмеры
Контрмера Описание
Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Обнаружение

Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used. Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)

Ссылки

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.
  3. Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021.
  4. I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.
  5. Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.
  6. A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.
  7. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  8. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  9. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  10. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  11. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  12. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  13. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  14. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  15. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  16. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  17. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  18. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  19. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  20. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  21. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  22. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  23. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
  24. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  25. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  26. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  27. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  28. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  29. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  30. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  31. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  32. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  33. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  34. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  35. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  36. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  37. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  38. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  39. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  40. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
  41. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  42. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  43. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  44. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  45. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
  46. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  47. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  48. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  49. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  50. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  51. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  52. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  53. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  54. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  55. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  56. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  57. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  58. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  59. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  60. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  61. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  62. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  63. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  64. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  65. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  66. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  67. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  68. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  69. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  70. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.