atomic-red-team/atomics/T1002/T1002.md

T1002 - Data Compressed

Description from ATT&CK

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.

Atomic Tests

• Atomic Test #1 - Compress Data for Exfiltration With PowerShell

• Atomic Test #2 - Compress Data for Exfiltration With Rar

• Atomic Test #3 - Data Compressed - nix - zip

• Atomic Test #4 - Data Compressed - nix - gzip Single File

• Atomic Test #5 - Data Compressed - nix - tar Folder or File

Atomic Test #1 - Compress Data for Exfiltration With PowerShell

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
input_file	Path that should be compressed into our output file	Path	$env:USERPROFILE
output_file	Path where resulting compressed data should be placed	Path	$env:USERPROFILE\data.zip

Attack Commands: Run with powershell!

dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}

Cleanup Commands:

Remove-Item -path #{output_file}

Atomic Test #2 - Compress Data for Exfiltration With Rar

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
input_path	Path that should be compressed into our output file	Path	%USERPROFILE%
file_extension	Extension of files to compress	String	.txt
output_file	Path where resulting compressed data should be placed	Path	%USERPROFILE%\data.rar
rar_installer	Winrar installer	Path	%TEMP%\winrar.exe
rar_exe	The RAR executable from Winrar	Path	%programfiles%/WinRAR/Rar.exe

Attack Commands: Run with command_prompt!

"#{rar_exe}" a -r #{output_file} #{input_path} *#{file_extension}

Cleanup Commands:

del #{output_file}

Dependencies: Run with command_prompt!

Description: Rar tool must be installed at specified location (#{rar_exe})

Check Prereq Commands:

if not exist "#{rar_exe}" (exit /b 1) 

Get Prereq Commands:

echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
echo Follow the installer prompts to install Winrar
#{rar_installer}

Atomic Test #3 - Data Compressed - nix - zip

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.

Supported Platforms: Linux, macOS

Inputs:

Name	Description	Type	Default Value
input_files	Path that should be compressed into our output file, may include wildcards	Path	$HOME/*.txt
output_file	Path that should be output as a zip archive	Path	$HOME/data.zip

Attack Commands: Run with sh!

zip #{output_file} #{input_files}

Cleanup Commands:

rm -f #{output_file}

Dependencies: Run with sh!

Description: Files to zip must exist (#{input_files})

Check Prereq Commands:

ls #{input_files} 

Get Prereq Commands:

echo Please set input_files argument to include files that exist

Atomic Test #4 - Data Compressed - nix - gzip Single File

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

Supported Platforms: Linux, macOS

Inputs:

Name	Description	Type	Default Value
input_file	Path that should be compressed	Path	$HOME/victim-gzip.txt
input_content	contents of compressed files if file does not already exist. default contains test credit card and social security number	String	confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101

Attack Commands: Run with sh!

test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})

Cleanup Commands:

rm -f #{input_file}.gz

Atomic Test #5 - Data Compressed - nix - tar Folder or File

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

Supported Platforms: Linux, macOS

Inputs:

Name	Description	Type	Default Value
input_file_folder	Path that should be compressed	Path	$HOME/$USERNAME
output_file	File that should be output	Path	$HOME/data.tar.gz

Attack Commands: Run with sh!

tar -cvzf #{output_file} #{input_file_folder}

Cleanup Commands:

rm -f #{output_file}

Dependencies: Run with sh!

Description: Folder to zip must exist (#{input_file_folder})

Check Prereq Commands:

test -e #{input_file_folder} 

Get Prereq Commands:

echo Please set input_file_folder argument to a folder that exists