security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1022/T1022.md
T
CircleCI Atomic Red Team doc generator 499c751bcc Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:36:10 +00:00

104 lines
3.1 KiB
Markdown
Raw Blame History

# T1022 - Data Encrypted
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1022)
<blockquote>Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Data Encrypted with zip and gpg](#atomic-test-1---data-encrypted-with-zip-and-gpg)
- [Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar](#atomic-test-2---compress-data-and-lock-with-password-for-exfiltration-with-winrar)
- [Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip](#atomic-test-3---compress-data-and-lock-with-password-for-exfiltration-with-winzip)
- [Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip](#atomic-test-4---compress-data-and-lock-with-password-for-exfiltration-with-7zip)
<br/>
## Atomic Test #1 - Data Encrypted with zip and gpg
Encrypt data for exiltration
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Run it with `sh`!
```
echo "This file will be encrypted" > /tmp/victim-gpg.txt
mkdir /tmp/victim-files
cd /tmp/victim-files
touch a b c d e f g
zip --password "insert password here" /tmp/victim-files.zip /tmp/victim-files/*
gpg -c /tmp/victim-gpg.txt
<enter passphrase and confirm>
ls -l
```
<br/>
<br/>
## Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar
Note: Requires winrar installation
rar a -p"blue" hello.rar (VARIANT)
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
rar a -hp"blue" hello.rar
dir
```
<br/>
<br/>
## Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip
Note: Requires winzip installation
wzzip sample.zip -s"blueblue" *.txt (VARIANT)
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
path=%path%;"C:\Program Files (x86)\winzip"
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
winzip32 -min -a -s"hello" archive.zip *
dir
```
<br/>
<br/>
## Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip
Note: Requires 7zip installation
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
7z a archive.7z -pblue
dir
```
<br/>
Reference in New Issue View Git Blame Copy Permalink