T1560 - Archive Collected Data#
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
Atomic Tests#
Atomic Test #1 - Compress Data for Exfiltration With PowerShellAn adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.#
When the test completes you should find the files from the \(env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the \)env:USERPROFILE directory
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
dir $env:USERPROFILE -Recurse | Compress-Archive -DestinationPath $env:USERPROFILE\T1560-data-ps.zip
Invoke-AtomicTest T1560 -TestNumbers 1
Cleanup:#
Remove-Item -path $env:USERPROFILE\T1560-data-ps.zip -ErrorAction Ignore```
Invoke-AtomicTest T1560 -TestNumbers 1 -Cleanup
Detection#
Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.
A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.
Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)
Shield Active Defense#
Software Manipulation#
Make changes to a system’s software properties and functions to achieve a desired effect.
Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system.
Opportunity#
There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.
Use Case#
A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn’t usable.
Procedures#
Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities. Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use. Alter the output of an adversary’s profiling commands to make newly-built systems look like the operating system was installed months earlier. Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data.