atomic-red-team/atomics/T1002/T1002.md

# T1002 - Data Compressed
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.</blockquote>

## Atomic Tests

- [Atomic Test #1 - Compress Data for Exfiltration With PowerShell](#atomic-test-1---compress-data-for-exfiltration-with-powershell)

- [Atomic Test #2 - Compress Data for Exfiltration With Rar](#atomic-test-2---compress-data-for-exfiltration-with-rar)

- [Atomic Test #3 - Data Compressed - nix - zip](#atomic-test-3---data-compressed---nix---zip)

- [Atomic Test #4 - Data Compressed - nix - gzip Single File](#atomic-test-4---data-compressed---nix---gzip-single-file)

- [Atomic Test #5 - Data Compressed - nix - tar Folder or File](#atomic-test-5---data-compressed---nix---tar-folder-or-file)


<br/>

## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration 

**Supported Platforms:** Windows


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| input_file | Path that should be compressed into our output file | Path | C:\*|
| output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip|

#### Run it with `powershell`! 
```
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
```



<br/>
<br/>

## Atomic Test #2 - Compress Data for Exfiltration With Rar
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration 

**Supported Platforms:** Windows


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| input_file | Path that should be compressed into our output file | Path | *.docx|
| output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar|

#### Run it with `command_prompt`! 
```
rar a -r #{output_file} #{input_file}
```



<br/>
<br/>

## Atomic Test #3 - Data Compressed - nix - zip
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.

**Supported Platforms:** Linux, macOS


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/*|
| output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip|

#### Run it with `sh`! 
```
zip #{output_file} #{input_files}
```



<br/>
<br/>

## Atomic Test #4 - Data Compressed - nix - gzip Single File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

**Supported Platforms:** Linux, macOS


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt|

#### Run it with `sh`! 
```
gzip -f #{input_file}
```



<br/>
<br/>

## Atomic Test #5 - Data Compressed - nix - tar Folder or File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

**Supported Platforms:** Linux, macOS


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| input_file_folder | Path that should be compressed | Path | /tmp/victim-files/|
| output_file | File that should be output | Path | /tmp/victim-files.tar.gz|

#### Run it with `sh`! 
```
tar -cvzf #{output_file} #{input_file_folder}
```



<br/>