Home
ATT&CK Techniques
T1560.001 Archive via Utility

T1560.001 Archive via Utility Mappings

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems.

On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. Remote Data Staging).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-08	Penetration Testing	Protects	T1560.001	Archive via Utility
RA-05	Vulnerability Monitoring and Scanning	Protects	T1560.001	Archive via Utility
SC-07	Boundary Protection	Protects	T1560.001	Archive via Utility
SI-03	Malicious Code Protection	Protects	T1560.001	Archive via Utility
SI-04	System Monitoring	Protects	T1560.001	Archive via Utility