Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.Other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol
-
Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar
-
Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip
-
Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip
Encrypt data for exiltration
Supported Platforms: macOS, Linux
mkdir /tmp/victim-files
cd /tmp/victim-files
touch a b c d e f g
echo "creating zip with password 'insert password here'"
zip --password "insert password here" ./victim-files.zip ./*
echo "encrypting file with gpg, you will need to provide a password"
gpg -c /tmp/victim-files/victim-filex.zip
#<enter passphrase and confirm>
ls -l
rm -Rf /tmp/victim-files
Note: Requires winrar installation rar a -p"blue" hello.rar (VARIANT)
Supported Platforms: Windows
mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
rar a -hp"blue" hello.rar
dir
Note: Requires winzip installation wzzip sample.zip -s"blueblue" *.txt (VARIANT)
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| winzip_exe | Path to installed Winzip executable | Path | %ProgramFiles%\WinZip\winzip64.exe |
| winzip_url | Path to download Windows Credential Editor zip file | url | https://download.winzip.com/gl/nkln/winzip24-home.exe |
| winzip_hash | File hash of the Windows Credential Editor zip file | String | B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB |
path=%path%;"C:\Program Files (x86)\winzip"
mkdir .\tmp\victim-files
cd .\tmp\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
"#{winzip_exe}" -min -a -s"hello" archive.zip *
dir
cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)'
if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
Write-Host Follow the installation prompts to continue
cmd /c "$env:Temp\winzip.exe"
}
Note: Requires 7zip installation
Supported Platforms: Windows
mkdir $PathToAtomicsFolder\T1022\victim-files
cd $PathToAtomicsFolder\T1022\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
7z a archive.7z -pblue
dir