An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path that should be compressed into our output file | Path | $env:USERPROFILE |
| output_file | Path where resulting compressed data should be placed | Path | $env:USERPROFILE\data.zip |
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
Remove-Item -path #{output_file}
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_path | Path that should be compressed into our output file | Path | %USERPROFILE% |
| file_extension | Extension of files to compress | String | .txt |
| output_file | Path where resulting compressed data should be placed | Path | %USERPROFILE%\data.rar |
| rar_installer | Winrar installer | Path | %TEMP%\winrar.exe |
| rar_exe | The RAR executable from Winrar | Path | %programfiles%/WinRAR/Rar.exe |
"#{rar_exe}" a -r #{output_file} #{input_path} *#{file_extension}
del #{output_file}
if not exist "#{rar_exe}" (exit /b 1)
echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
echo Follow the installer prompts to install Winrar
#{rar_installer}
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_files | Path that should be compressed into our output file, may include wildcards | Path | $HOME/*.txt |
| output_file | Path that should be output as a zip archive | Path | $HOME/data.zip |
zip #{output_file} #{input_files}
rm -f #{output_file}
ls #{input_files}
echo Please set input_files argument to include files that exist
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path that should be compressed | Path | $HOME/victim-gzip.txt |
| input_content | contents of compressed files if file does not already exist. default contains test credit card and social security number | String | confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101 |
test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})
rm -f #{input_file}.gz
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file_folder | Path that should be compressed | Path | $HOME/$USERNAME |
| output_file | File that should be output | Path | $HOME/data.tar.gz |
tar -cvzf #{output_file} #{input_file_folder}
rm -f #{output_file}
test -e #{input_file_folder}
echo Please set input_file_folder argument to a folder that exists