Find sigma rule
Attack: Archive Collected Data
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
MITRE
Tactic
- collection
technique
- T1560
Test : Compress Data for Exfiltration With PowerShell
OS
- windows
Description:
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory
Executor
powershell
Sigma Rule
- posh_ps_compress_archive_usage.yml (id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a)