CircleCI Atomic Red Team doc generator
4.0 KiB
T1002 - Data Compressed
Description from ATT&CK
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
Atomic Tests
Atomic Test #1 - Compress Data for Exfiltration With PowerShell
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path that should be compressed into our output file | Path | C:* |
| output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip |
Run it with powershell!
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
Atomic Test #2 - Compress Data for Exfiltration With Rar
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path that should be compressed into our output file | Path | *.docx |
| output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar |
Run it with command_prompt!
rar a -r #{output_file} #{input_file}
Atomic Test #3 - Data Compressed - nix - zip
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
Supported Platforms: Linux, macOS
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/* |
| output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip |
Run it with sh!
zip #{output_file} #{input_files}
Atomic Test #4 - Data Compressed - nix - gzip Single File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
Supported Platforms: Linux, macOS
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt |
Run it with sh!
gzip -f #{input_file}
Atomic Test #5 - Data Compressed - nix - tar Folder or File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
Supported Platforms: Linux, macOS
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file_folder | Path that should be compressed | Path | /tmp/victim-files/ |
| output_file | File that should be output | Path | /tmp/victim-files.tar.gz |
Run it with sh!
tar -cvzf #{output_file} #{input_file_folder}