Esc
Archive Collected Data - T1560
(ATT&CK® Technique)
Definition
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1560["Archive Collected Data"] --> |creates| ArchiveFile["Archive File"]; class T1560 OffensiveTechniqueNode;
class ArchiveFile ArtifactNode; click ArchiveFile href "/dao/artifact/d3f:ArchiveFile";
click T1560 href "/offensive-technique/attack/T1560/"; click ArchiveFile href "/dao/artifact/d3f:ArchiveFile"; T1560["Archive Collected Data"] --> |creates| CustomArchiveFile["Custom Archive File"]; class T1560 OffensiveTechniqueNode;
class CustomArchiveFile ArtifactNode; click CustomArchiveFile href "/dao/artifact/d3f:CustomArchiveFile";
click T1560 href "/offensive-technique/attack/T1560/"; click CustomArchiveFile href "/dao/artifact/d3f:CustomArchiveFile"; DecoyFile["Decoy File"] -->
| spoofs | CustomArchiveFile["Custom Archive File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1560["Archive Collected Data"] ;
class DecoyFile DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | ArchiveFile["Archive File"];
class DecoyFile DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | CustomArchiveFile["Custom Archive File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1560["Archive Collected Data"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ArchiveFile["Archive File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | CustomArchiveFile["Custom Archive File"];
FileEviction["File Eviction"] -.->
| may-evict | T1560["Archive Collected Data"] ;
class FileEviction DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | ArchiveFile["Archive File"];
class FileEviction DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; LocalFilePermissions["Local File Permissions"] -->
| restricts | CustomArchiveFile["Custom Archive File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1560["Archive Collected Data"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ArchiveFile["Archive File"];
class LocalFilePermissions DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | ArchiveFile["Archive File"];
RestoreFile["Restore File"] -.->
| may-restore | T1560["Archive Collected Data"] ;
class RestoreFile DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | CustomArchiveFile["Custom Archive File"];
class RestoreFile DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileEncryption["File Encryption"] -->
| encrypts | CustomArchiveFile["Custom Archive File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1560["Archive Collected Data"] ;
class FileEncryption DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | ArchiveFile["Archive File"];
class FileEncryption DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileAnalysis["File Analysis"] -->
| analyzes | ArchiveFile["Archive File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1560["Archive Collected Data"] ;
class FileAnalysis DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | CustomArchiveFile["Custom Archive File"];
class FileAnalysis DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ArchiveFile["Archive File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1560["Archive Collected Data"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | CustomArchiveFile["Custom Archive File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";