An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1560 | Archive Collected Data |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Archive Collected Data (T1020). This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain while minimizing system performance impact.
Archive Collected Data (T1020) involves adversaries collecting and archiving large volumes of sensitive or stolen data, often using system utilities like compression or archiving tools, in preparation for exfiltration. These archived files, such as ZIP or TAR archives, are commonly used to obfuscate or compress data to avoid detection during the exfiltration process. Intel TDT plays a crucial role by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of abnormal behaviors like suspicious use of archiving utilities or the manipulation of file systems that indicate data collection for exfiltration.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1560.001 | Archive via Utility | 1 |