

Investigate if the file was transferred to an attacker-controlled server. If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list theįile names included in the encrypted file. Decrypt the `.rar`/`.zip` and check if the information is sensitive. Check if the password used in the encryption was included in the command line.


Investigate other alerts related to the user/host in the last 48 hours. Investigate the script execution chain (parent process tree). These steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages. Encryption can be used to hide information that isīeing exfiltrated from detection or make exfiltration less apparent upon inspection by a defender. Compressing the data can help obfuscate theĬollected data and minimize the amount of data sent over the network. # Investigating Encrypting Files with WinRar or 7zĪttackers may compress and/or encrypt data collected before exfiltration.
