EXPLORE
Sign In
← Back to Explore
T1560.001

Archive via Utility

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems. On Windows, <code>diantz</code> or <cod...

LinuxmacOSWindows
24
Detections
3
Sources
37
Threat Actors

BY SOURCE

13sigma6splunk_escu5elastic

PROCEDURES (12)

Encrypt4 detections

Auto-extracted: 4 detections for encrypt

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Dump2 detections

Auto-extracted: 2 detections for dump

Container1 detections

Auto-extracted: 1 detections for container

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Container1 detections

Auto-extracted: 1 detections for container

Credential1 detections

Auto-extracted: 1 detections for credential

THREAT ACTORS (37)

AgriusAkiraAPT1APT28APT3APT33APT39APT41APT5Aquatic PandaBRONZE BUTLERChimeraCopyKittensEarth LuscaFIN13FIN8Fox KittenGALLIUMGallmakerHAFNIUMINC RansomKe3changKimsukyLotus BlossomMagic HoundmenuPassMuddyWaterMustang PandaPlayRedCurlSea TurtleSowbugToddyCatTurlaUNC3886Volt TyphoonWizard Spider

DETECTIONS (24)

7zip CommandLine To SMB Share Path
splunk_escu
7Zip Compressing Dump Files
sigmamedium
Anomalous usage of 7zip
splunk_escu
Cisco Stage Data
sigmalow
Compress Data and Lock With Password for Exfiltration With 7-ZIP
sigmamedium
Compress Data and Lock With Password for Exfiltration With WINZIP
sigmamedium
Compressed File Creation Via Tar.EXE
sigmalow
Compressed File Extraction Via Tar.EXE
sigmalow
Data Compressed
sigmalow
Detect Renamed 7-Zip
splunk_escu
Detect Renamed WinRAR
splunk_escu
Disk Image Mounting Via Hdiutil - MacOS
sigmamedium
Encrypting Files with WinRar or 7z
elasticmedium
Files Added To An Archive Using Rar.EXE
sigmalow
GenAI Process Performing Encoding/Chunking Prior to Network Activity
elasticmedium
IcedID Exfiltrated Archived File Creation
splunk_escu
Rar Usage with Password and Compression Level
sigmahigh
Sensitive File Compression Detected via Defend for Containers
elasticmedium
Sensitive Files Compression
elasticmedium
Sensitive Files Compression Inside A Container
elastichigh
Suspicious Manipulation Of Default Accounts Via Net.EXE
sigmahigh
Windows Archive Collected Data via Rar
splunk_escu
Winrar Compressing Dump Files
sigmamedium
WinRAR Execution in Non-Standard Folder
sigmamedium