Find sigma rule
Attack: Archive Collected Data: Archive via Utility
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar
on Linux and macOS or zip
on Windows systems.
On Windows, diantz
or makecab
may be used to package collected files into a cabinet (.cab) file. diantz
may also be used to download and compress files from remote locations (i.e. Remote Data Staging).(Citation: diantz.exe_lolbas) xcopy
on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.
Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
MITRE
Tactic
- collection
technique
- T1560.001
Test : Compress Data and lock with password for Exfiltration with 7zip
OS
- windows
Description:
Note: This test requires 7zip installation
Executor
command_prompt
Sigma Rule
-
proc_creation_win_susp_compression_params.yml (id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd)
-
proc_creation_win_7zip_password_compression.yml (id: 9fbf5927-5261-4284-a71d-f681029ea574)