T1560.001.md

T1560.001 - Archive via Utility

Description from ATT&CK

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.

Some 3rd party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems.

Atomic Tests

• Atomic Test #1 - Compress Data for Exfiltration With Rar

• Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar

• Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip

• Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip

• Atomic Test #5 - Data Compressed - nix - zip

• Atomic Test #6 - Data Compressed - nix - gzip Single File

• Atomic Test #7 - Data Compressed - nix - tar Folder or File

• Atomic Test #8 - Data Encrypted with zip and gpg symmetric

Atomic Test #1 - Compress Data for Exfiltration With Rar

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
input_path	Path that should be compressed into our output file	Path	%USERPROFILE%
file_extension	Extension of files to compress	String	.txt
output_file	Path where resulting compressed data should be placed	Path	%USERPROFILE%\T1560.001-data.rar
rar_installer	Winrar installer	Path	%TEMP%\winrar.exe
rar_exe	The RAR executable from Winrar	Path	%programfiles%/WinRAR/Rar.exe

Attack Commands: Run with command_prompt!

"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension}

Cleanup Commands:

del /f /q /s #{output_file} >nul 2>&1

Dependencies: Run with command_prompt!

Description: Rar tool must be installed at specified location (#{rar_exe})

Check Prereq Commands:

if not exist "#{rar_exe}" (exit /b 1) 

Get Prereq Commands:

echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
#{rar_installer} /S

Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar

Note: Requires winrar installation rar a -p"blue" hello.rar (VARIANT)

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
rar_installer	Winrar installer	Path	%TEMP%\winrar.exe
rar_exe	The RAR executable from Winrar	Path	%programfiles%/WinRAR/Rar.exe

Attack Commands: Run with command_prompt!

mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"#{rar_exe}" a -hp"blue" hello.rar
dir

Dependencies: Run with command_prompt!

Description: Rar tool must be installed at specified location (#{rar_exe})

Check Prereq Commands:

if not exist "#{rar_exe}" (exit /b 1) 

Get Prereq Commands:

echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
#{rar_installer} /S

Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip

Note: Requires winzip installation wzzip sample.zip -s"blueblue" *.txt (VARIANT)

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
winzip_exe	Path to installed Winzip executable	Path	%ProgramFiles%\WinZip\winzip64.exe
winzip_url	Path to download Windows Credential Editor zip file	url	https://download.winzip.com/gl/nkln/winzip24-home.exe
winzip_hash	File hash of the Windows Credential Editor zip file	String	B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB

Attack Commands: Run with command_prompt!

path=%path%;"C:\Program Files (x86)\winzip"
mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"#{winzip_exe}" -min -a -s"hello" archive.zip *
dir

Dependencies: Run with powershell!

Description: Winzip must be installed

Check Prereq Commands:

cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)' 

Get Prereq Commands:

if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
  Write-Host Follow the installation prompts to continue
  cmd /c "$env:Temp\winzip.exe"
}

Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip

Note: Requires 7zip installation

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
7zip_installer	7zip installer	Path	%TEMP%\7zip.exe
7zip_exe	Path to installed 7zip executable	Path	%ProgramFiles%\7-zip\7z.exe

Attack Commands: Run with command_prompt!

mkdir $PathToAtomicsFolder\T1560.001\victim-files
cd $PathToAtomicsFolder\T1560.001\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"#{7zip_exe}" u archive.7z *txt -pblue
dir

Dependencies: Run with command_prompt!

Description: 7zip tool must be installed at specified location (#{7zip_exe})

Check Prereq Commands:

if not exist "#{7zip_exe}" (exit /b 1) 

Get Prereq Commands:

echo Downloading 7-zip installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer}
#{7zip_installer} /S

Atomic Test #5 - Data Compressed - nix - zip

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.

Supported Platforms: Linux, macOS

Inputs:

Name	Description	Type	Default Value
input_files	Path that should be compressed into our output file, may include wildcards	Path	$HOME/*.txt
output_file	Path that should be output as a zip archive	Path	$HOME/data.zip

Attack Commands: Run with sh!

zip #{output_file} #{input_files}

Cleanup Commands:

rm -f #{output_file}

Dependencies: Run with sh!

Description: Files to zip must exist (#{input_files})

Check Prereq Commands:

if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else exit 1; fi; 

Get Prereq Commands:

echo Please set input_files argument to include files that exist

Atomic Test #6 - Data Compressed - nix - gzip Single File

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

Supported Platforms: Linux, macOS

Inputs:

Name	Description	Type	Default Value
input_file	Path that should be compressed	Path	$HOME/victim-gzip.txt
input_content	contents of compressed files if file does not already exist. default contains test credit card and social security number	String	confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101

Attack Commands: Run with sh!

test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})

Cleanup Commands:

rm -f #{input_file}.gz

Atomic Test #7 - Data Compressed - nix - tar Folder or File

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

Supported Platforms: Linux, macOS

Inputs:

Name	Description	Type	Default Value
input_file_folder	Path that should be compressed	Path	$HOME/$USERNAME
output_file	File that should be output	Path	$HOME/data.tar.gz

Attack Commands: Run with sh!

tar -cvzf #{output_file} #{input_file_folder}

Cleanup Commands:

rm -f #{output_file}

Dependencies: Run with sh!

Description: Folder to zip must exist (#{input_file_folder})

Check Prereq Commands:

test -e #{input_file_folder} 

Get Prereq Commands:

echo Please set input_file_folder argument to a folder that exists

Atomic Test #8 - Data Encrypted with zip and gpg symmetric

Encrypt data for exiltration

Supported Platforms: macOS, Linux

Inputs:

Name	Description	Type	Default Value
test_folder	Path used to store files.	Path	/tmp/T1560
test_file	Temp file used to store encrypted data.	Path	T1560
encryption_password	Password used to encrypt data.	string	InsertPasswordHere

Attack Commands: Run with sh!

mkdir -p #{test_folder}
cd #{test_folder}; touch a b c d e f g
zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./*
echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip
ls -l #{test_folder}

Cleanup Commands:

rm -Rf #{test_folder}

Dependencies: Run with sh!

Description: gpg and zip are required to run the test.

Check Prereq Commands:

if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; 

Get Prereq Commands:

echo "Install gpg and zip to run the test"; exit 1;