Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems.
On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. Remote Data Staging).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.
Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1560.001 | Archive via Utility |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Archive via Utility exploits. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
Archive via Utility techniques involve adversaries using common system utilities (such as Windows’ built-in compression tools) to archive or compress files, often to evade detection or exfiltrate sensitive data. These actions are commonly used to obfuscate malicious files or prepare for the delivery of large amounts of stolen data. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of abnormal behaviors, such as suspicious archive or compression utility activity that could indicate data exfiltration or malicious file manipulation.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, allowing for faster, more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, such as the unauthorized use of compression or archive utilities for evading detection or preparing exfiltration, providing proactive defense against these evasive techniques.
References
|