T1560 - Archive Collected Data
Description from ATT&CK (opens in a new tab)
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
Atomic Tests
Atomic Test #1 - Compress Data for Exfiltration With PowerShell
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory
Supported Platforms: Windows
auto_generated_guid: 41410c60-614d-4b9d-b66e-b0192dd9c597
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path that should be compressed into our output file | path | $env:USERPROFILE |
| output_file | Path where resulting compressed data should be placed | path | $env:USERPROFILE\T1560-data-ps.zip |
Attack Commands: Run with powershell!
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}Cleanup Commands:
Remove-Item -path #{output_file} -ErrorAction Ignore