Ctrl+K

T1560.001 - Archive via Utility

Contents

T1560.001 - Archive via Utility#

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems.

On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging).(Citation: diantz.exe_lolbas) xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)

Atomic Tests#

Atomic Test #1 - Compress Data for Exfiltration With Rar#

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory

Supported Platforms: windows

Elevation Required (e.g. root or admin)

Dependencies: Run with command_prompt!#

Description: Rar tool must be installed at specified location (#{rar_exe})#
Check Prereq Commands:#
if not exist "%programfiles%/WinRAR/Rar.exe" (exit /b 1)
Get Prereq Commands:#
echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" %TEMP%\winrar.exe
%TEMP%\winrar.exe /S


Invoke-AtomicTest T1560.001 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with command_prompt#

"%programfiles%/WinRAR/Rar.exe" a -r %USERPROFILE%\T1560.001-data.rar %USERPROFILE%\*.txt

Invoke-AtomicTest T1560.001 -TestNumbers 1

Cleanup:#

del /f /q /s %USERPROFILE%\T1560.001-data.rar >nul 2>&1

Invoke-AtomicTest T1560.001 -TestNumbers 1 -Cleanup

Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar#

Note: Requires winrar installation rar a -p”blue” hello.rar (VARIANT)

Supported Platforms: windows

Elevation Required (e.g. root or admin)

Dependencies: Run with command_prompt!#

Description: Rar tool must be installed at specified location (#{rar_exe})#
Check Prereq Commands:#
if not exist "%programfiles%/WinRAR/Rar.exe" (exit /b 1)
Get Prereq Commands:#
echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" %TEMP%\winrar.exe
%TEMP%\winrar.exe /S


Invoke-AtomicTest T1560.001 -TestNumbers 2 -GetPreReqs

Attack Commands: Run with command_prompt#

mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"%programfiles%/WinRAR/Rar.exe" a -hp"blue" hello.rar
dir

Invoke-AtomicTest T1560.001 -TestNumbers 2

Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip#

Note: Requires winzip installation wzzip sample.zip -s”blueblue” *.txt (VARIANT)

Supported Platforms: windows

Elevation Required (e.g. root or admin)

Dependencies: Run with powershell!#

Description: Winzip must be installed#
Check Prereq Commands:#
cmd /c 'if not exist "%ProgramFiles%\WinZip\winzip64.exe" (echo 1) else (echo 0)'
Get Prereq Commands:#
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
if(Invoke-WebRequestVerifyHash "https://download.winzip.com/gl/nkln/winzip24-home.exe" "PathToAtomicsFolder\..\ExternalPayloads\winzip.exe" B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB){
  Write-Host Follow the installation prompts to continue
  cmd /c "PathToAtomicsFolder\..\ExternalPayloads\winzip.exe"
}


Invoke-AtomicTest T1560.001 -TestNumbers 3 -GetPreReqs

Attack Commands: Run with command_prompt#

path=%path%;"C:\Program Files (x86)\winzip"
mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"%ProgramFiles%\WinZip\winzip64.exe" -min -a -s"hello" archive.zip *
dir

Invoke-AtomicTest T1560.001 -TestNumbers 3

Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip#

Note: This test requires 7zip installation

Supported Platforms: windows

Elevation Required (e.g. root or admin)

Dependencies: Run with command_prompt!#

Description: 7zip tool must be installed at specified location (#{7zip_exe})#
Check Prereq Commands:#
if not exist "%ProgramFiles%\7-zip\7z.exe" (exit /b 1)
Get Prereq Commands:#
echo Downloading 7-zip installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2301-x64.exe" %TEMP%\7zip.exe
%TEMP%\7zip.exe /S


Invoke-AtomicTest T1560.001 -TestNumbers 4 -GetPreReqs

Attack Commands: Run with command_prompt#

mkdir $PathToAtomicsFolder\T1560.001\victim-files
cd $PathToAtomicsFolder\T1560.001\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"%ProgramFiles%\7-zip\7z.exe" u archive.7z *txt -pblue
dir

Invoke-AtomicTest T1560.001 -TestNumbers 4

Cleanup:#

rmdir /s /Q $PathToAtomicsFolder\T1560.001\victim-files >nul 2>&1

Invoke-AtomicTest T1560.001 -TestNumbers 4 -Cleanup

Atomic Test #5 - Data Compressed - nix - zip#

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.

Supported Platforms: linux, macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: Files to zip must exist (#{input_files})#
Check Prereq Commands:#
if [ $(ls /var/log/{w,b}tmp | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi;
Get Prereq Commands:#
(which yum && yum -y install epel-release zip)||(which apt-get && apt-get install -y zip)
echo Please set input_files argument to include files that exist

Invoke-AtomicTest T1560.001 -TestNumbers 5 -GetPreReqs

Attack Commands: Run with sh#

zip $HOME/data.zip /var/log/{w,b}tmp

Invoke-AtomicTest T1560.001 -TestNumbers 5

Cleanup:#

rm -f $HOME/data.zip

Invoke-AtomicTest T1560.001 -TestNumbers 5 -Cleanup

Atomic Test #6 - Data Compressed - nix - gzip Single FileAn adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.#

Supported Platforms: linux, macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

test -e $HOME/victim-gzip.txt && gzip -k $HOME/victim-gzip.txt || (echo 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101' >> $HOME/victim-gzip.txt; gzip -k $HOME/victim-gzip.txt)

Invoke-AtomicTest T1560.001 -TestNumbers 6

Cleanup:#

rm -f $HOME/victim-gzip.txt.gz

Invoke-AtomicTest T1560.001 -TestNumbers 6 -Cleanup

Atomic Test #7 - Data Compressed - nix - tar Folder or File#

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

Supported Platforms: linux, macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: Folder to zip must exist (#{input_file_folder})#
Check Prereq Commands:#
test -e $HOME/$USERNAME
Get Prereq Commands:#
mkdir -p $HOME/$USERNAME && touch $HOME/$USERNAME/file1

Invoke-AtomicTest T1560.001 -TestNumbers 7 -GetPreReqs

Attack Commands: Run with sh#

tar -cvzf $HOME/data.tar.gz $HOME/$USERNAME

Invoke-AtomicTest T1560.001 -TestNumbers 7

Cleanup:#

rm -f $HOME/data.tar.gz

Invoke-AtomicTest T1560.001 -TestNumbers 7 -Cleanup

Atomic Test #8 - Data Encrypted with zip and gpg symmetric#

Encrypt data for exiltration

Supported Platforms: linux, macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: gpg and zip are required to run the test.#
Check Prereq Commands:#
if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi;
Get Prereq Commands:#
(which pkg && pkg install -y gnupg zip)||(which yum && yum -y install epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)

Invoke-AtomicTest T1560.001 -TestNumbers 8 -GetPreReqs

Attack Commands: Run with sh#

mkdir -p /tmp/T1560
cd /tmp/T1560; touch a b c d e f g
zip --password "InsertPasswordHere" /tmp/T1560/T1560 ./*
echo "InsertPasswordHere" | gpg --batch --yes --passphrase-fd 0 --output /tmp/T1560/T1560.zip.gpg -c /tmp/T1560/T1560.zip
ls -l /tmp/T1560

Invoke-AtomicTest T1560.001 -TestNumbers 8

Cleanup:#

rm -Rf /tmp/T1560

Invoke-AtomicTest T1560.001 -TestNumbers 8 -Cleanup

Atomic Test #9 - Encrypts collected data with AES-256 and Base64#

An adversary may compress all the collected data, encrypt and send them to a C2 server using base64 encoding. This atomic test tries to emulate the behaviour of the FLEXIROOT backdoor to archive the collected data. FLEXIROOT typically utilizes AES encryption and base64 encoding to transfer the encrypted data to the C2 server. In this test, standard zip compression and the OpenSSL library are used to encrypt the compressed data. https://attack.mitre.org/versions/v7/software/S0267/ Supported Platforms: linux, macos

Elevation Required (e.g. root or admin)

Dependencies: Run with bash!#

Description: The folder and test files must exist#
Check Prereq Commands:#
if [ ! -d /tmp/t1560 ]; then exit 1; else exit 0; fi;
Get Prereq Commands:#
if [ ! -d /tmp/t1560 ]; then mkdir -p /tmp/t1560; cd /tmp/t1560; touch {a..z}.data; fi;

Invoke-AtomicTest T1560.001 -TestNumbers 9 -GetPreReqs

Attack Commands: Run with bash#

zip -r  /tmp/t1560/t1560_data.zip /tmp/t1560
openssl enc -aes-256-cbc -pass pass:atomic_enc_pass -p -in /tmp/t1560/t1560_data.zip -out /tmp/t1560/t1560_data.enc 
cat /tmp/t1560/t1560_data.enc | base64```

Invoke-AtomicTest T1560.001 -TestNumbers 9

Cleanup:#

rm -rf /tmp/t1560```

Invoke-AtomicTest T1560.001 -TestNumbers 9 -Cleanup

Detection#

Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.

Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)

Contents