T1560.002: Archive via Library

View on MITRE ATT&CK	T1560.002
Tactic(s)	Collection

Data from MITRE ATT&CK®:

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.

Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Reporting on this Technique

Report

APT40 Advisory - PRC MSS tradecraft in action

This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...

View Source

How to detect this technique

MITRE ATT&CK Data Components

File Creation (File)

Initial construction of a new file (ex: Sysmon EID 11)

Script Execution (Script)

The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)

Control Validation Tests for this Technique

Use Atomic Red Team tests to test your defenses against this technique.

T1560.002: Archive via Library

Cyber Threat Graph Context

Reporting on this Technique

APT40 Advisory - PRC MSS tradecraft in action

How to detect this technique

File Creation (File)

Script Execution (Script)

Control Validation Tests for this Technique

Compressing data using bz2 in Python (FreeBSD/Linux)

Compressing data using GZip in Python (FreeBSD/Linux)

Compressing data using tarfile in Python (FreeBSD/Linux)

Compressing data using zipfile in Python (FreeBSD/Linux)