security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1002/T1002.md
T
CircleCI Atomic Red Team doc generator 65fd85dd3c Generate docs from job=validate_atomics_generate_docs branch=uppercase-everything
2018-05-23 23:09:31 +00:00

54 lines
2.3 KiB
Markdown
Raw Blame History

# T1002 - Data Compressed
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
Detection: Compression software and compressed files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used.
If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
Requires Network: No</blockquote>
## Atomic Tests
- [Atomic Test #1 - Compress Data for Exfiltration With PowerShell](#atomic-test-1---compress-data-for-exfiltration-with-powershell)
- [Atomic Test #2 - Compress Data for Exfiltration With Rar](#atomic-test-2---compress-data-for-exfiltration-with-rar)
<br/>
## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
TODO
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed into our output file | Path | C:\*|
| output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip|
#### Run it with `powershell`!
```
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
```
<br/>
<br/>
## Atomic Test #2 - Compress Data for Exfiltration With Rar
TODO
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
rar a -r #{output_file} #{input_file}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink