attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b.json

{
    "created": "2020-02-20T21:09:55.995Z",
    "modified": "2020-03-25T22:48:14.605Z",
    "kill_chain_phases": [
        {
            "kill_chain_name": "mitre-attack",
            "phase_name": "collection"
        }
    ],
    "type": "attack-pattern",
    "id": "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b",
    "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)",
    "name": "Archive via Custom Method",
    "created_by_ref": "The MITRE Corporation",
    "external_references": [
        {
            "source_name": "mitre-attack",
            "external_id": "T1560.003",
            "url": "https://attack.mitre.org/techniques/T1560/003"
        },
        {
            "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf",
            "description": "ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.",
            "source_name": "ESET Sednit Part 2"
        }
    ],
    "x_mitre_platforms": [
        "Linux",
        "macOS",
        "Windows"
    ],
    "x_mitre_detection": "Custom archival methods can be very difficult to detect, since many of them use standard programming language concepts, such as bitwise operations.",
    "x_mitre_is_subtechnique": true,
    "x_mitre_version": "1.0"
}