T1560

Archive Collected Data

Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration and can be performed using a utility, third-party library, or custom method. Common tools include 7-Zip, WinRAR, the Windows built-in compact and certutil utilities, PowerShell Compress-Archive and .NET IO.Compression classes, and tar/gzip/openssl on Linux and macOS. Threat actors including Dragonfly, Lazarus Group, Ember Bear, BlackByte, and Axiom have all used archiving and encryption as a pre-exfiltration staging step. Sub-techniques cover archive via utility (T1560.001), archive via library (T1560.002), and archive via custom method (T1560.003).

Microsoft Sentinel / Defender

kusto

let ArchiveUtilities = dynamic(["7z.exe", "7za.exe", "7zr.exe", "rar.exe", "winrar.exe"]);
let SuspiciousParents = dynamic(["winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "mshta.exe", "wscript.exe", "cscript.exe", "mmc.exe", "regsvr32.exe", "rundll32.exe"]);
// Detection 1: Password-protected archives — strongest indicator of pre-exfiltration data staging
let PasswordProtectedArchive = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ArchiveUtilities)
| where ProcessCommandLine has "-hp"
      or ProcessCommandLine has_any ("-pass", "-password")
      or ProcessCommandLine matches regex @"\s+-p\S"
| extend DetectionType = "Password-Protected Archive", RiskLevel = "High";
// Detection 2: Archive utilities spawned by Office apps or scripting engines (macro/script-based staging)
let SuspiciousParentArchive = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ArchiveUtilities)
| where InitiatingProcessFileName in~ (SuspiciousParents)
| extend DetectionType = "Archive via Suspicious Parent Process", RiskLevel = "High";
// Detection 3: PowerShell compression using .NET classes (custom staging or library-based archiving)
let PSCompression = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Compress-Archive", "IO.Compression.ZipFile", "IO.Compression.GZipStream", "System.IO.Compression", "ZipArchive", "DeflateStream", "GZipStream")
| extend DetectionType = "PowerShell .NET Compression", RiskLevel = "Medium";
// Detection 4: certutil base64 encoding — encodes binary blobs for text-channel or clipboard exfiltration
let CertutilEncoding = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-encode", "-decode", "-encodehex")
| extend DetectionType = "CertUtil Base64 Encoding", RiskLevel = "Medium";
// Combine all detections
union PasswordProtectedArchive, SuspiciousParentArchive, PSCompression, CertutilEncoding
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionType, RiskLevel
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT backup and archiving jobs (Veeam, Acronis, custom scripts) that use 7-Zip or WinRAR with passwords to protect backup archives
Software release pipelines packaging artifacts into password-protected zip files for deployment
DBA scripts compressing and encrypting database exports or log files before offsite transfer
certutil legitimately used by PKI administrators to encode/decode certificate files (.cer, .p7b) for transport
PowerShell-based software deployment tools (SCCM, Intune, Ansible) using Compress-Archive to bundle installation packages

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\7z.exe" OR Image="*\\7za.exe" OR Image="*\\7zr.exe" OR Image="*\\rar.exe" OR Image="*\\winrar.exe"
   OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\certutil.exe")
| eval CommandLineLower=lower(CommandLine)
| eval IsArchiveTool=if(match(Image, "(?i)(7z[ar]?\.exe|rar\.exe|winrar\.exe)$"), 1, 0)
| eval PasswordProtected=if(IsArchiveTool=1 AND (match(CommandLineLower, "\s-hp") OR match(CommandLineLower, "-pass") OR match(CommandLineLower, "\s-p\S")), 1, 0)
| eval SuspiciousParent=if(IsArchiveTool=1 AND match(lower(ParentImage), "(?i)(winword|excel|outlook|powerpnt|mshta|wscript|cscript|mmc|regsvr32|rundll32)\.exe$"), 1, 0)
| eval PSCompression=if(match(Image, "(?i)(powershell|pwsh)\.exe$") AND match(CommandLineLower, "(compress-archive|io\.compression|zipfile|gzipstream|deflatestream|ziparchive)"), 1, 0)
| eval CertutilEncode=if(match(Image, "(?i)certutil\.exe$") AND match(CommandLineLower, "(-encode|-decode|-encodehex)"), 1, 0)
| eval SuspicionScore=PasswordProtected + SuspiciousParent + PSCompression + CertutilEncode
| where SuspicionScore > 0
| eval DetectionType=case(
    PasswordProtected=1, "Password-Protected Archive",
    SuspiciousParent=1, "Archive via Suspicious Parent",
    PSCompression=1, "PowerShell .NET Compression",
    CertutilEncode=1, "CertUtil Encoding",
    true(), "Archive Activity")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, SuspicionScore
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT backup jobs using 7-Zip or WinRAR with passwords to protect backup archives — typically run under service accounts from task scheduler
Software CI/CD pipelines packaging release artifacts into protected archives — typically a known build agent account spawning the archive tool
DBA or DevOps scripts compressing and encrypting database exports before offsite transfer
certutil legitimately used by PKI admins encoding certificate files; adjust with allowlist of known admin accounts
PowerShell deployment automation (SCCM, Intune, Chocolatey) using Compress-Archive to bundle payloads

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  (
    process.name : ("7z.exe", "7za.exe", "7zr.exe", "rar.exe", "winrar.exe") and
    process.command_line : ("* -hp*", "* -pass*", "* -password*", "* -p?*")
  ) or
  (
    process.name : ("7z.exe", "7za.exe", "7zr.exe", "rar.exe", "winrar.exe") and
    process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe",
                            "mshta.exe", "wscript.exe", "cscript.exe",
                            "mmc.exe", "regsvr32.exe", "rundll32.exe")
  ) or
  (
    process.name : ("powershell.exe", "pwsh.exe") and
    process.command_line : ("*Compress-Archive*", "*IO.Compression.ZipFile*",
                            "*IO.Compression.GZipStream*", "*System.IO.Compression*",
                            "*ZipArchive*", "*DeflateStream*", "*GZipStream*")
  ) or
  (
    process.name : "certutil.exe" and
    process.command_line : ("*-encode*", "*-decode*", "*-encodehex*")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.process) Winlogbeat with Sysmon (winlog.event_data, EventCode 1) Elastic Agent with Windows integration

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

Legitimate enterprise backup software (Acronis, Veeam, BackupExec) that invokes 7-Zip or RAR with password-protected archives as part of scheduled backup jobs — baseline by parent process and scheduled task context
IT deployment pipelines (SCCM, Ansible, Chocolatey) that use PowerShell Compress-Archive to bundle software packages before distribution — correlate with known software deployment service accounts
Security certificate management workflows where certutil.exe is used to encode PEM/DER certificates for transport — validate against known PKI infrastructure hosts and service accounts
Developer CI/CD pipelines invoking 7-Zip from build scripts with passwords to protect release artifacts — these may appear as child processes of scripting engines but originate from build agents

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username,
  "Process Name" AS process_name,
  "Process Command Line" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Process Name") LIKE ANY ('%\\7z.exe', '%\\7za.exe', '%\\7zr.exe', '%\\rar.exe', '%\\winrar.exe')
         AND (LOWER("Process Command Line") LIKE '% -hp%'
              OR LOWER("Process Command Line") LIKE '%-pass%'
              OR LOWER("Process Command Line") LIKE '%-password%')
      THEN 'Password-Protected Archive'
    WHEN LOWER("Process Name") LIKE ANY ('%\\7z.exe', '%\\7za.exe', '%\\7zr.exe', '%\\rar.exe', '%\\winrar.exe')
         AND LOWER("Parent Process Name") LIKE ANY ('%\\winword.exe', '%\\excel.exe', '%\\outlook.exe',
              '%\\powerpnt.exe', '%\\mshta.exe', '%\\wscript.exe', '%\\cscript.exe',
              '%\\mmc.exe', '%\\regsvr32.exe', '%\\rundll32.exe')
      THEN 'Archive via Suspicious Parent'
    WHEN LOWER("Process Name") LIKE ANY ('%\\powershell.exe', '%\\pwsh.exe')
         AND (LOWER("Process Command Line") LIKE '%compress-archive%'
              OR LOWER("Process Command Line") LIKE '%io.compression%'
              OR LOWER("Process Command Line") LIKE '%gzipstream%'
              OR LOWER("Process Command Line") LIKE '%deflatestream%'
              OR LOWER("Process Command Line") LIKE '%ziparchive%')
      THEN 'PowerShell .NET Compression'
    WHEN LOWER("Process Name") LIKE '%\\certutil.exe'
         AND (LOWER("Process Command Line") LIKE '%-encode%'
              OR LOWER("Process Command Line") LIKE '%-encodehex%')
      THEN 'CertUtil Encoding'
    ELSE 'Suspicious Archive Activity'
  END AS detection_type
FROM events
WHERE
  devicetime > NOW() - 86400000
  AND (
    (
      LOWER("Process Name") LIKE ANY ('%\\7z.exe', '%\\7za.exe', '%\\7zr.exe', '%\\rar.exe', '%\\winrar.exe')
      AND (
        LOWER("Process Command Line") LIKE '% -hp%'
        OR LOWER("Process Command Line") LIKE '%-pass%'
        OR LOWER("Process Command Line") LIKE '%-password%'
        OR LOWER("Parent Process Name") LIKE ANY (
          '%\\winword.exe', '%\\excel.exe', '%\\outlook.exe', '%\\powerpnt.exe',
          '%\\mshta.exe', '%\\wscript.exe', '%\\cscript.exe',
          '%\\mmc.exe', '%\\regsvr32.exe', '%\\rundll32.exe'
        )
      )
    )
    OR (
      LOWER("Process Name") LIKE ANY ('%\\powershell.exe', '%\\pwsh.exe')
      AND (
        LOWER("Process Command Line") LIKE '%compress-archive%'
        OR LOWER("Process Command Line") LIKE '%io.compression%'
        OR LOWER("Process Command Line") LIKE '%gzipstream%'
        OR LOWER("Process Command Line") LIKE '%deflatestream%'
        OR LOWER("Process Command Line") LIKE '%ziparchive%'
      )
    )
    OR (
      LOWER("Process Name") LIKE '%\\certutil.exe'
      AND (
        LOWER("Process Command Line") LIKE '%-encode%'
        OR LOWER("Process Command Line") LIKE '%-encodehex%'
      )
    )
  )
ORDER BY devicetime DESC

high severity high confidence

Data Sources

Sysmon log source (EventCode 1 — Process Create) forwarded to QRadar Windows Security Event Log (EventID 4688 with Process Command Line auditing enabled) Microsoft Windows Security Event Log DSM

Required Tables

events (QRadar normalized event store) Sysmon DSM log source with Process Name, Process Command Line, Parent Process Name fields parsed

False Positives

Automated patch management systems (WSUS, ManageEngine, Ivanti) that use PowerShell Compress-Archive to bundle patches before deployment — verify against known patching service accounts and scheduled maintenance windows
Enterprise DLP or CASB tooling that invokes CertUtil to encode files during content inspection workflows — cross-reference log source IP against known DLP infrastructure
Password-protected archive creation by end users for legitimate file sharing via email or file transfer portals — high volume on specific hosts during business hours with consistent users suggests non-malicious activity

Sumo Logic CSE

sql

_sourceCategory=*windows/sysmon* OR _sourceCategory=*sysmon*
| where EventCode="1"
| eval image_lc=toLowerCase(Image)
| eval cmdline_lc=toLowerCase(CommandLine)
| eval parent_lc=toLowerCase(ParentImage)
| where (image_lc matches "*\\7z.exe" OR image_lc matches "*\\7za.exe" OR image_lc matches "*\\7zr.exe"
         OR image_lc matches "*\\rar.exe" OR image_lc matches "*\\winrar.exe"
         OR image_lc matches "*\\powershell.exe" OR image_lc matches "*\\pwsh.exe"
         OR image_lc matches "*\\certutil.exe")
| eval is_archive=if(image_lc matches "*\\7z.exe" OR image_lc matches "*\\7za.exe" OR image_lc matches "*\\7zr.exe"
         OR image_lc matches "*\\rar.exe" OR image_lc matches "*\\winrar.exe", 1, 0)
| eval password_protected=if(is_archive=1 AND (cmdline_lc contains " -hp" OR cmdline_lc contains "-pass" OR cmdline_lc contains "-password"), 1, 0)
| eval suspicious_parent=if(is_archive=1 AND (parent_lc matches "*\\winword.exe" OR parent_lc matches "*\\excel.exe"
         OR parent_lc matches "*\\outlook.exe" OR parent_lc matches "*\\powerpnt.exe"
         OR parent_lc matches "*\\mshta.exe" OR parent_lc matches "*\\wscript.exe"
         OR parent_lc matches "*\\cscript.exe" OR parent_lc matches "*\\mmc.exe"
         OR parent_lc matches "*\\regsvr32.exe" OR parent_lc matches "*\\rundll32.exe"), 1, 0)
| eval ps_compression=if((image_lc matches "*\\powershell.exe" OR image_lc matches "*\\pwsh.exe")
         AND (cmdline_lc contains "compress-archive" OR cmdline_lc contains "io.compression"
              OR cmdline_lc contains "gzipstream" OR cmdline_lc contains "deflatestream"
              OR cmdline_lc contains "ziparchive"), 1, 0)
| eval certutil_encode=if(image_lc matches "*\\certutil.exe"
         AND (cmdline_lc contains "-encode" OR cmdline_lc contains "-encodehex"), 1, 0)
| where password_protected=1 OR suspicious_parent=1 OR ps_compression=1 OR certutil_encode=1
| eval DetectionType=if(password_protected=1, "Password-Protected Archive",
    if(suspicious_parent=1, "Archive via Suspicious Parent",
    if(ps_compression=1, "PowerShell .NET Compression",
    if(certutil_encode=1, "CertUtil Encoding", "Suspicious Archive Activity"))))
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType
| sort by _time desc

high severity high confidence

Data Sources

Sysmon Operational logs (EventCode 1) shipped via Sumo Logic Collector or OpenTelemetry Windows Event Collector forwarding to Sumo Logic with Sysmon source category Sumo Logic Cloud-to-Cloud Windows Event source

Required Tables

_sourceCategory matching *windows/sysmon* or *sysmon* with EventCode=1 events Parsed Sysmon fields: Image, CommandLine, ParentImage, ParentCommandLine, User, Computer

False Positives

IT staff using 7-Zip via scripted deployment tools (PDQ Deploy, Ansible) where the parent chain includes mmc.exe or wscript.exe — validate against known admin workstations and change management records
PowerShell-based log archival scripts that compress old log files using Compress-Archive — corroborate with scheduled task ancestry and predictable destination paths under system directories
CertUtil used legitimately for certificate enrollment or PKCS operations in environments with active PKI — whitelist specific host roles (CA servers, PKI workstations) and correlate with certificate management change tickets

Google Chronicle / SecOps

yaral

rule t1560_archive_collected_data {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1560 Archive Collected Data - password-protected archive creation, Office/script spawned archivers, PowerShell .NET compression, and CertUtil encoding used as pre-exfiltration data staging"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1560"
    mitre_attack_subtechniques = "T1560.001, T1560.002, T1560.003"
    severity = "HIGH"
    risk_score = "75"
    reference = "https://attack.mitre.org/techniques/T1560/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)(7z[ar]?\.exe|rar\.exe|winrar\.exe)$`) and
        (
          re.regex($e.target.process.command_line, `(?i)\s-hp`) or
          strings.contains(strings.to_lower($e.target.process.command_line), "-pass") or
          strings.contains(strings.to_lower($e.target.process.command_line), "-password")
        )
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(7z[ar]?\.exe|rar\.exe|winrar\.exe)$`) and
        re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|outlook|powerpnt|mshta|wscript|cscript|mmc|regsvr32|rundll32)\.exe$`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
        (
          strings.contains(strings.to_lower($e.target.process.command_line), "compress-archive") or
          strings.contains(strings.to_lower($e.target.process.command_line), "io.compression") or
          strings.contains(strings.to_lower($e.target.process.command_line), "gzipstream") or
          strings.contains(strings.to_lower($e.target.process.command_line), "deflatestream") or
          strings.contains(strings.to_lower($e.target.process.command_line), "ziparchive")
        )
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)certutil\.exe$`) and
        (
          strings.contains(strings.to_lower($e.target.process.command_line), "-encode") or
          strings.contains(strings.to_lower($e.target.process.command_line), "-encodehex")
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM ingestion from Microsoft Defender for Endpoint (MDE) via Chronicle connector Sysmon EventCode 1 logs forwarded to Chronicle via Bindplane or direct forwarder Windows Security EventID 4688 with process command line auditing enabled

Required Tables

UDM events table with metadata.event_type = PROCESS_LAUNCH target.process.file.full_path and target.process.command_line fields populated principal.process.file.full_path populated for parent process context

False Positives

Automated certificate renewal processes on IIS or Exchange servers where certutil.exe performs encoding as part of certificate export workflows — scope the rule to exclude known certificate server hostnames or service account principals
Legitimate macro-enabled Office documents used in HR or Finance that call authorized PowerShell backup scripts for local archive creation — build allowlists on specific document hashes or trusted OU paths in principal.user.department
Red team or penetration testing exercises using the same archive tooling against authorized targets — cross-reference with planned engagement windows from a reference list or suppress by authorized tester accounts

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|powershell\.exe|pwsh\.exe|certutil\.exe)/i
| IsArchiveTool := FileName = /(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe)/i
| PasswordProtected := IsArchiveTool = true AND CommandLine = /(\s-hp|-pass(word)?|\s-p\S)/i
| SuspiciousParent := IsArchiveTool = true AND ParentBaseFileName = /(winword|excel|outlook|powerpnt|mshta|wscript|cscript|mmc|regsvr32|rundll32)\.exe/i
| PSCompression := FileName = /(powershell|pwsh)\.exe/i AND CommandLine = /(Compress-Archive|IO\.Compression|GZipStream|DeflateStream|ZipArchive)/i
| CertutilEncode := FileName = /certutil\.exe/i AND CommandLine = /(-encode|-decode|-encodehex)/i
| PasswordProtected = true OR SuspiciousParent = true OR PSCompression = true OR CertutilEncode = true
| DetectionType := case {
    PasswordProtected = true => "Password-Protected Archive";
    SuspiciousParent = true => "Archive via Suspicious Parent";
    PSCompression = true => "PowerShell .NET Compression";
    CertutilEncode = true => "CertUtil Encoding";
    * => "Suspicious Archive Activity"
  }
| select([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionType])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Data Replicator (FDR) — ProcessRollup2 events Falcon sensor process telemetry via CrowdStrike Streaming API LogScale Falcon integration with #event_simpleName field routing

Required Tables

ProcessRollup2 events (#event_simpleName=ProcessRollup2) Fields required: FileName, CommandLine, ParentBaseFileName, ComputerName, UserName, timestamp

False Positives

Falcon sensor telemetry from automated backup agents (e.g., Commvault, Veeam) running under SYSTEM or dedicated backup service accounts that create password-protected 7-Zip archives nightly — add an exclusion by UserName for known backup service accounts combined with a scheduled-hours filter
PowerShell DSC (Desired State Configuration) or Azure Automation runbooks that use System.IO.Compression for MOF file packaging during configuration push operations — these typically originate from known automation account names and consistent parent process trees
CertUtil invocations on domain controllers or PKI servers performing routine certificate issuance and encoding as part of ADCS workflows — scope exclusions to specific ComputerName patterns matching CA infrastructure hostnames

Last updated: 2026-04-14 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1560 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Archive Collected Data

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Collection

Popular Detections