EXPLORE

← Back to Explore

T1560

Archive Collected Data

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3...

LinuxmacOSWindows

11

Detections

3

Sources

13

Threat Actors

BY SOURCE

6elastic3splunk_escu2sigma

PROCEDURES (7)

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Container1 detections

Auto-extracted: 1 detections for container

Container1 detections

Auto-extracted: 1 detections for container

Credential1 detections

Auto-extracted: 1 detections for credential

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

THREAT ACTORS (13)

APT28 APT32 Axiom BlackByte Dragonfly Ember Bear FIN6 Ke3chang Lazarus Group Leviathan LuminousMoth menuPass Patchwork

DETECTIONS (11)

Compressed File Creation Via Tar.EXE

Compressed File Extraction Via Tar.EXE

Detect Certipy File Modifications

Encrypting Files with WinRar or 7z

GenAI Process Performing Encoding/Chunking Prior to Network Activity

Sensitive File Access followed by Compression

Sensitive File Compression Detected via Defend for Containers

Sensitive Files Compression

Sensitive Files Compression Inside A Container

Windows Archive Collected Data via Powershell

Windows Archived Collected Data In TEMP Folder