Archive via Utility
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging). xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used. Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.
Observed actors
G0093APT3
G0022Kimsuky
G0094Volt Typhoon
G1017APT41
G0096menuPass
G0045HAFNIUM
G0125MuddyWater
G0069Gallmaker
G0084Mustang Panda
G0129APT39
G0087Akira
G1024Aquatic Panda
G0143Ke3chang
G0004APT1
G0006Turla
G0010RedCurl
G1039APT29
G0016Chimera
G0114BRONZE BUTLER
G0060ToddyCat
G1022Agrius
G1030APT28
G0007APT5
G1023Fox Kitten
G0117INC Ransom
G1032Earth Lusca
G1006Sowbug
G0054CopyKittens
G0052Wizard Spider
G0102Play
G1040Magic Hound
G0059APT33
G0064FIN8
G0061FIN13
G1016
Correlated CTI and IR reports
Israel Threat Actors CTI · explicit report mentionAPT39 (Chafer / Remix Kitten)
Israel Threat Actors CTI · explicit report mentionAPT41 Targeting Pharmaceutical Sector: Log4Shell to Domain Compromise
1200km CTI repository · explicit report mentionAttack Playbook — Operation DragonRx
1200km CTI repository · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionOperation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mentionAPT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mentionAttack Playbook Operation DragonRx
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mentionOperation DragonRx Simulating an APT41 Attack End to End From Log4Shell to DFIR and Malware
1200km Medium · authored report mention