Archive via Utility

Information

• Name: Archive via Utility

• ID: T1560.001

• Tactics: TA0009

• Technique: T1560

Introduction

The MITRE ATT&CK sub-technique "Archive via Utility" (T1560.001) refers to adversaries leveraging built-in or third-party archive utilities to compress or package data prior to exfiltration. This sub-technique is a specific variant of the broader "Archive Collected Data" (T1560) technique, commonly employed by threat actors to facilitate stealthy, efficient data exfiltration by reducing data size and evading detection mechanisms. Attackers typically use common utilities such as ZIP, RAR, tar, gzip, and 7zip, often pre-installed or easily obtainable, to package sensitive information before transferring it out of victim environments.

Deep Dive Into Technique

Attackers employing the "Archive via Utility" sub-technique typically follow these technical procedures and methodologies:

• Selection of Archive Utility: Threat actors commonly utilize built-in system utilities or widely available third-party tools. Commonly leveraged utilities include:

  • ZIP (Windows built-in compression, PowerShell Compress-Archive)

  • RAR (WinRAR)

  • 7zip (7z.exe)

  • tar and gzip (Unix/Linux built-in utilities)

  • bzip2, xz, compress (Unix/Linux utilities)

• Execution Methods and Commands: Attackers usually execute archive utilities through command-line interfaces or scripting environments:

  • Windows examples:

    Copy

    zip archive.zip sensitive-documents\*
    powershell Compress-Archive -Path C:\Data -DestinationPath C:\Temp\data.zip
    7z.exe a -tzip archive.zip C:\SensitiveData

  • Linux examples:

    Copy

    tar -cvzf data.tar.gz /home/user/documents/
    zip -r data.zip /var/log/
    gzip sensitive_file.txt

• Mechanisms and Procedures:

  • Compression for Efficiency: Reducing file size allows attackers to exfiltrate large amounts of data more quickly and with less likelihood of triggering data transfer volume thresholds.

  • Encryption and Password Protection: Attackers often use password-protected archives to evade detection by network-based deep packet inspection or endpoint security solutions.

  • Obfuscation and Renaming: Adversaries may rename archives to common file extensions (e.g., .doc, .jpg) to evade detection and bypass security controls.

  • Scripting and Automation: Attackers commonly automate archiving through scripts (PowerShell, Bash, batch files) to quickly and efficiently collect and package data.

When this Technique is Usually Used

Attackers typically employ the "Archive via Utility" sub-technique during the following attack scenarios and stages:

• Data Exfiltration Stage:

  • To compress and package sensitive information before exfiltration, reducing bandwidth usage and evading detection by network monitoring tools.

  • To facilitate stealthy and efficient transfer of large volumes of data.

• Lateral Movement and Internal Data Staging:

  • Attackers may archive data on compromised hosts to stage information before moving it laterally within the compromised environment.

• Collection and Preparation Stage:

  • Early in the attack lifecycle, adversaries may archive collected data for easier management and faster exfiltration later on.

• Persistence and Long-Term Access:

  • Attackers may archive sensitive data and store it in hidden or obscure locations for later retrieval and exfiltration.

How this Technique is Usually Detected

Detection of the "Archive via Utility" sub-technique typically involves monitoring and analyzing system behaviors, logs, and file system changes. Common detection methods include:

• Process Monitoring and Endpoint Detection:

  • Monitor process creation events to identify unexpected or unusual execution of archiving utilities (e.g., zip.exe, 7z.exe, rar.exe, Compress-Archive cmdlets).

  • Endpoint Detection and Response (EDR) tools can alert on suspicious command-line parameters or unusual file paths.

• Command-Line and Script Logging:

  • Enable and analyze detailed command-line logging (e.g., Windows Event ID 4688, Sysmon Event ID 1) to detect suspicious archive commands and parameters.

• File System Auditing:

  • Monitor file system activities for creation of archive files (.zip, .rar, .tar.gz, .7z) in unusual locations or times.

  • Detect archive files with unusual naming conventions or file extensions mismatched to their actual content.

• Network Traffic Analysis and DLP Tools:

  • Network monitoring solutions and Data Loss Prevention (DLP) tools can detect archive files transferred over the network, especially encrypted or password-protected archives.

  • Inspect network traffic for patterns indicative of archive file transfers (e.g., HTTP POST requests, FTP/SFTP transfers).

• Indicators of Compromise (IoCs):

  • Presence of suspicious archive utilities on endpoints not normally used for archiving.

  • Archive files found in temporary or hidden directories.

  • Scripts or batch files containing archiving commands.

  • Unusual CPU spikes or disk activity from archiving processes.

Why it is Important to Detect This Technique

Early detection of the "Archive via Utility" sub-technique is crucial due to the following potential impacts and risks:

• Data Exfiltration and Loss:

  • Attackers frequently archive sensitive data to facilitate rapid and stealthy exfiltration, leading to significant data breaches and loss of intellectual property or sensitive business information.

• Detection Evasion and Stealth:

  • Archiving utilities, especially those built into operating systems, are frequently overlooked by defenders, allowing attackers to evade detection and maintain stealth.

  • Password-protected or encrypted archives can bypass traditional network inspection and content scanning methods.

• Operational Efficiency for Attackers:

  • Archiving reduces the volume of data transferred, enabling attackers to exfiltrate data quickly, minimizing the window for detection and response.

• Regulatory and Compliance Implications:

  • Data breaches facilitated by archived data exfiltration can result in regulatory violations, compliance penalties, and reputational damage.

• Incident Response Complexity:

  • Archived data complicates incident response and forensic analysis, as defenders must identify, decrypt, and analyze compressed or encrypted archives to determine the scope and impact of the breach.

Examples

Real-world examples of the "Archive via Utility" sub-technique include:

• APT41 (Winnti Group):

  • Known to use 7zip and RAR utilities to compress and archive stolen intellectual property and sensitive corporate data before exfiltration.

  • Often employs password-protected archives to evade detection.

• FIN7 (Carbanak Group):

  • Frequently leverages built-in Windows utilities such as PowerShell's Compress-Archive cmdlet to compress data prior to exfiltration, evading detection by endpoint protection software.

• DarkSide Ransomware Attacks:

  • Attackers utilized 7zip utilities to compress and encrypt sensitive data prior to exfiltration, threatening public release if ransom demands were not met.

• Operation Cloud Hopper (APT10):

  • Utilized archive utilities like RAR and ZIP to compress large volumes of intellectual property and sensitive data, facilitating stealthy exfiltration from targeted managed service providers (MSPs) and cloud environments.

• Conti Ransomware Operations:

  • Employed built-in Windows utilities and third-party archiving tools to compress and encrypt data prior to exfiltration, increasing operational stealth and efficiency.

These examples illustrate the widespread and frequent use of archiving utilities by sophisticated threat actors across multiple industries and sectors, highlighting the importance of proactive detection and response.