An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.Detection: Compression software and compressed files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used.
If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
Requires Network: No
TODO
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path that should be compressed into our output file | Path | C:* |
| output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip |
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
TODO
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path that should be compressed into our output file | Path | *.docx |
| output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar |
rar a -r #{output_file} #{input_file}
TODO
Supported Platforms: Linux, macOS
mkdir /tmp/victim-files
cd /tmp/victim-files
touch a b c d e f g
echo "This file will be gzipped" > /tmp/victim-gzip.txt
echo "This file will be tarred" > /tmp/victim-tar.txt
zip /tmp/victim-files.zip /tmp/victim-files/*
gzip -f /tmp/victim-gzip.txt
tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/
tar -cvzf /tmp/victim-tar.tar.gz