Ctrl+K

T1560.002 - Archive via Library

T1560.002 - Archive via Library#

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.

Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.

Atomic Tests#

Atomic Test #1 - Compressing data using GZip in Python (FreeBSD/Linux)#

Uses GZip from Python to compress files

Supported Platforms: linux

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: Requires Python#
Check Prereq Commands:#
which python || which python3
Get Prereq Commands:#
echo "please install python to run this test"; exit 1

Invoke-AtomicTest T1560.002 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with sh#

which_python=`which python || which python3`
$which_python -c "import gzip;input_file=open('/etc/passwd', 'rb');content=input_file.read();input_file.close();output_file=gzip.GzipFile('/tmp/passwd.gz','wb',compresslevel=6);output_file.write(content);output_file.close();"

Invoke-AtomicTest T1560.002 -TestNumbers 1

Cleanup:#

rm /tmp/passwd.gz

Invoke-AtomicTest T1560.002 -TestNumbers 1 -Cleanup

Atomic Test #2 - Compressing data using bz2 in Python (FreeBSD/Linux)#

Uses bz2 from Python to compress files

Supported Platforms: linux

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: Requires Python#
Check Prereq Commands:#
which python || which python3
Get Prereq Commands:#
echo "please install python to run this test"; exit 1

Invoke-AtomicTest T1560.002 -TestNumbers 2 -GetPreReqs

Attack Commands: Run with sh#

which_python=`which python || which python3`
$which_python -c "import bz2;input_file=open('/etc/passwd','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('/tmp/passwd.bz2','w+');output_file.write(str(bz2content));output_file.close();"

Invoke-AtomicTest T1560.002 -TestNumbers 2

Cleanup:#

rm /tmp/passwd.bz2

Invoke-AtomicTest T1560.002 -TestNumbers 2 -Cleanup

Atomic Test #3 - Compressing data using zipfile in Python (FreeBSD/Linux)#

Uses zipfile from Python to compress files

Supported Platforms: linux

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: Requires Python#
Check Prereq Commands:#
which python || which python3
Get Prereq Commands:#
echo "please install python to run this test"; exit 1

Invoke-AtomicTest T1560.002 -TestNumbers 3 -GetPreReqs

Attack Commands: Run with sh#

which_python=`which python || which python3`
$which_python -c "from zipfile import ZipFile; ZipFile('/tmp/passwd.zip', mode='w').write('/etc/passwd')"

Invoke-AtomicTest T1560.002 -TestNumbers 3

Cleanup:#

rm /tmp/passwd.zip

Invoke-AtomicTest T1560.002 -TestNumbers 3 -Cleanup

Atomic Test #4 - Compressing data using tarfile in Python (FreeBSD/Linux)#

Uses tarfile from Python to compress files

Supported Platforms: linux

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: Requires Python#
Check Prereq Commands:#
which python || which python3
Get Prereq Commands:#
echo "please install python to run this test"; exit 1

Invoke-AtomicTest T1560.002 -TestNumbers 4 -GetPreReqs

Attack Commands: Run with sh#

which_python=`which python || which python3`
$which_python -c "from zipfile import ZipFile; ZipFile('/tmp/passwd.tar.gz', mode='w').write('/etc/passwd')" 

Invoke-AtomicTest T1560.002 -TestNumbers 4

Cleanup:#

rm /tmp/passwd.tar.gz

Invoke-AtomicTest T1560.002 -TestNumbers 4 -Cleanup

Detection#

Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used.

Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)

Contents