Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such astaron Linux and macOS orzipon Windows systems. On Windows,diantzormakecabmay be used to package collected files into a cabinet (.cab) file.diantzmay also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas)xcopyon Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar
Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip
Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip
Atomic Test #9 - Encrypts collected data with AES-256 and Base64
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory
Supported Platforms: Windows
auto_generated_guid: 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0
| Name | Description | Type | Default Value | |——|————-|——|—————| | input_path | Path that should be compressed into our output file | path | %USERPROFILE%| | file_extension | Extension of files to compress | string | .txt| | output_file | Path where resulting compressed data should be placed | path | %USERPROFILE%\T1560.001-data.rar| | rar_installer | Winrar installer | path | %TEMP%\winrar.exe| | rar_exe | The RAR executable from Winrar | path | %programfiles%/WinRAR/Rar.exe|
1
command_prompt
"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension}
del /f /q /s #{output_file} >nul 2>&1
1
command_prompt
if not exist "#{rar_exe}" (exit /b 1)
echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
#{rar_installer} /S
Note: Requires winrar installation rar a -p”blue” hello.rar (VARIANT)
Supported Platforms: Windows
auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c
| Name | Description | Type | Default Value | |——|————-|——|—————| | rar_installer | Winrar installer | path | %TEMP%\winrar.exe| | rar_exe | The RAR executable from Winrar | path | %programfiles%/WinRAR/Rar.exe|
1
command_prompt
mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"#{rar_exe}" a -hp"blue" hello.rar
dir
1
command_prompt
if not exist "#{rar_exe}" (exit /b 1)
echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
#{rar_installer} /S
Note: Requires winzip installation wzzip sample.zip -s”blueblue” *.txt (VARIANT)
Supported Platforms: Windows
auto_generated_guid: 01df0353-d531-408d-a0c5-3161bf822134
| Name | Description | Type | Default Value | |——|————-|——|—————| | winzip_exe | Path to installed Winzip executable | path | %ProgramFiles%\WinZip\winzip64.exe| | winzip_url | Path to download Windows Credential Editor zip file | url | https://download.winzip.com/gl/nkln/winzip24-home.exe| | winzip_hash | File hash of the Windows Credential Editor zip file | string | B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB|
1
command_prompt
path=%path%;"C:\Program Files (x86)\winzip"
mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"#{winzip_exe}" -min -a -s"hello" archive.zip *
dir
1
powershell
1
cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)'
1
2
3
4
5
6
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
if(Invoke-WebRequestVerifyHash "#{winzip_url}" "PathToAtomicsFolder\..\ExternalPayloads\winzip.exe" #{winzip_hash}){
Write-Host Follow the installation prompts to continue
cmd /c "PathToAtomicsFolder\..\ExternalPayloads\winzip.exe"
}
Note: This test requires 7zip installation
Supported Platforms: Windows
auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198
| Name | Description | Type | Default Value | |——|————-|——|—————| | 7zip_installer | 7zip installer | path | %TEMP%\7zip.exe| | 7zip_exe | Path to installed 7zip executable | path | %ProgramFiles%\7-zip\7z.exe|
1
command_prompt
mkdir $PathToAtomicsFolder\T1560.001\victim-files
cd $PathToAtomicsFolder\T1560.001\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"#{7zip_exe}" u archive.7z *txt -pblue
dir
rmdir /s /Q $PathToAtomicsFolder\T1560.001\victim-files >nul 2>&1
1
command_prompt
if not exist "#{7zip_exe}" (exit /b 1)
echo Downloading 7-zip installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2301-x64.exe" #{7zip_installer}
#{7zip_installer} /S
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
Supported Platforms: Linux, macOS
auto_generated_guid: c51cec55-28dd-4ad2-9461-1eacbc82c3a0
| Name | Description | Type | Default Value | |——|————-|——|—————| | input_files | Path that should be compressed into our output file, may include wildcards | path | /var/log/{w,b}tmp| | output_file | Path that should be output as a zip archive | path | $HOME/data.zip|
1
sh
1
zip #{output_file} #{input_files}
1
rm -f #{output_file}
1
sh
1
if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi;
1
2
(which yum && yum -y install epel-release zip)||(which apt-get && apt-get install -y zip)
echo Please set input_files argument to include files that exist
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
Supported Platforms: Linux, macOS
auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af
| Name | Description | Type | Default Value | |——|————-|——|—————| | input_file | Path that should be compressed | path | $HOME/victim-gzip.txt| | input_content | contents of compressed files if file does not already exist. default contains test credit card and social security number | string | confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101|
1
sh
1
test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})
1
rm -f #{input_file}.gz
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
Supported Platforms: Linux, macOS
auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a
| Name | Description | Type | Default Value | |——|————-|——|—————| | input_file_folder | Path that should be compressed | path | $HOME/$USERNAME| | output_file | File that should be output | path | $HOME/data.tar.gz|
1
sh
1
tar -cvzf #{output_file} #{input_file_folder}
1
rm -f #{output_file}
1
sh
1
test -e #{input_file_folder}
1
mkdir -p #{input_file_folder} && touch #{input_file_folder}/file1
Encrypt data for exiltration
Supported Platforms: Linux, macOS
auto_generated_guid: 0286eb44-e7ce-41a0-b109-3da516e05a5f
| Name | Description | Type | Default Value | |——|————-|——|—————| | test_folder | Path used to store files. | path | /tmp/T1560| | test_file | Temp file used to store encrypted data. | path | T1560| | encryption_password | Password used to encrypt data. | string | InsertPasswordHere|
1
sh
1
2
3
4
5
mkdir -p #{test_folder}
cd #{test_folder}; touch a b c d e f g
zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./*
echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip
ls -l #{test_folder}
1
rm -Rf #{test_folder}
1
sh
1
if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi;
1
(which pkg && pkg install -y gnupg zip)||(which yum && yum -y install epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)
An adversary may compress all the collected data, encrypt and send them to a C2 server using base64 encoding. This atomic test tries to emulate the behaviour of the FLEXIROOT backdoor to archive the collected data. FLEXIROOT typically utilizes AES encryption and base64 encoding to transfer the encrypted data to the C2 server. In this test, standard zip compression and the OpenSSL library are used to encrypt the compressed data. https://attack.mitre.org/versions/v7/software/S0267/
Supported Platforms: Linux, macOS
auto_generated_guid: a743e3a6-e8b2-4a30-abe7-ca85d201b5d3
| Name | Description | Type | Default Value | |——|————-|——|—————| | input_folder | Path to the folder used to store the test files | path | /tmp/t1560| | input_file | Name of the compressed and encrypted files | string | t1560_data| | enc_pass | Password used to encrypt the data | string | atomic_enc_pass|
1
bash
1
2
3
zip -r #{input_folder}/#{input_file}.zip #{input_folder}
openssl enc -aes-256-cbc -pass pass:#{enc_pass} -p -in #{input_folder}/#{input_file}.zip -out #{input_folder}/#{input_file}.enc
cat #{input_folder}/#{input_file}.enc | base64
1
rm -rf #{input_folder}
1
bash
1
if [ ! -d #{input_folder} ]; then exit 1; else exit 0; fi;
1
if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder}; cd #{input_folder}; touch {a..z}.data; fi;
An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM.
Supported Platforms: Windows
auto_generated_guid: 36c62584-d360-41d6-886f-d194654be7c2
| Name | Description | Type | Default Value | |——|————-|——|—————| | vm_host | Specify the host name of the ESXi Server | string | atomic.local| | plink_file | Path to Putty | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe| | username | Username used to log into ESXi | string | root| | password | password used to log into ESXI | string | n/a|
1
powershell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Extract line with IP address from the syslog configuration output
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt
# Replace the IP with "0"
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt
# Extract the IP from the line extracted from findstr
$inputFilePath = "c:\temp\loghost.txt"
$outputFilePath = "c:\temp\loghost_ip.txt"
$fileContent = Get-Content -Path $inputFilePath -Raw
if ([string]::IsNullOrWhiteSpace($fileContent)) {
Write-Host "The content is $fileContent"
Write-Host "The file is empty"
} else {
# Use a regular expression to extract IP addresses
$ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value
$output = "esxcli system syslog config set --loghost=" + $ipAddresses
$output | Out-File -FilePath $outputFilePath -Encoding ascii
Write-Host "IP addresses extracted and saved to $outputFilePath"
}
1
2
3
4
5
# Re-add the initially extracted IP
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
rm c:\temp\loghost_ip.txt
rm c:\temp\loghost.txt
1
powershell
1
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"