EXPLORE

← Back to Explore

T1560

Archive Collected Data

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3...

LinuxmacOSWindows

12

Detections

3

Sources

13

Threat Actors

BY SOURCE

6elastic3sigma3splunk_escu

PROCEDURES (8)

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Credential1 detections

Auto-extracted: 1 detections for credential

Container1 detections

Auto-extracted: 1 detections for container

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Container1 detections

Auto-extracted: 1 detections for container

Container1 detections

Auto-extracted: 1 detections for container

THREAT ACTORS (13)

APT28 APT32 Axiom BlackByte Dragonfly Ember Bear FIN6 Ke3chang Lazarus Group Leviathan LuminousMoth menuPass Patchwork

DETECTIONS (12)

Compress-Archive Cmdlet Execution

Compressed File Creation Via Tar.EXE

Compressed File Extraction Via Tar.EXE

Detect Certipy File Modifications

Encrypting Files with WinRar or 7z

GenAI Process Performing Encoding/Chunking Prior to Network Activity

Sensitive File Access followed by Compression

Sensitive File Compression Detected via Defend for Containers

Sensitive Files Compression

Sensitive Files Compression Inside A Container

Windows Archive Collected Data via Powershell

Windows Archived Collected Data In TEMP Folder