T1560.001

Archive via Utility

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier or more secure to transport. Adversaries may abuse utilities such as 7-Zip, WinRAR, WinZip, tar, zip, and Windows built-ins like makecab/diantz and certutil to stage data for exfiltration. Password-protected archives are a common indicator as they prevent inspection by security tools. Threat actors including HAFNIUM, APT1, APT33, Volt Typhoon, Mustang Panda, menuPass, and Wizard Spider are documented using this technique.

Microsoft Sentinel / Defender

kusto

let ArchiveTools = dynamic(["7z.exe", "7za.exe", "7zr.exe", "rar.exe", "winrar.exe", "winzip32.exe", "winzip64.exe", "zip.exe", "makecab.exe", "diantz.exe", "xcopy.exe"]);
let SuspiciousFlags = dynamic(["-p", "-hp", "a -", " a ", "-r ", "-v", "password", "-ep", "-ep2", "-ep3"]);
let SensitivePaths = dynamic(["\\ntds", "\\lsass", "\\sam", "\\system", "\\security", "\\users\\", "\\documents", "\\desktop", "\\appdata", "c:\\windows\\temp", "c:\\programdata", "\\inetpub"]);
union
(
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ (ArchiveTools)
    | where ProcessCommandLine has_any (SuspiciousFlags) or ProcessCommandLine has_any (SensitivePaths)
    | extend PasswordProtected = ProcessCommandLine has_any ("-p", "-hp", "password")
    | extend TargetsSensitivePath = ProcessCommandLine has_any (SensitivePaths)
    | extend MultiVolume = ProcessCommandLine has_any ("-v", "-v1", "-v2", "-v500", "-v1000")
    | extend OutputToTemp = ProcessCommandLine has_any ("\\temp\\", "\\tmp\\", "\\programdata\\", "\\appdata\\")
    | extend DetectionSource = "ArchiveTool"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine,
             PasswordProtected, TargetsSensitivePath, MultiVolume, OutputToTemp, DetectionSource
),
(
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "certutil.exe"
    | where ProcessCommandLine has_any ("-encode", "-encodehex", "/encode", "/encodehex")
    | extend PasswordProtected = false
    | extend TargetsSensitivePath = ProcessCommandLine has_any (SensitivePaths)
    | extend MultiVolume = false
    | extend OutputToTemp = ProcessCommandLine has_any ("\\temp\\", "\\tmp\\", "\\programdata\\")
    | extend DetectionSource = "CertutilEncode"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine,
             PasswordProtected, TargetsSensitivePath, MultiVolume, OutputToTemp, DetectionSource
),
(
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "makecab.exe" or FileName =~ "diantz.exe"
    | where ProcessCommandLine !contains "windows\\ " and ProcessCommandLine !contains "system32\\"
    | extend PasswordProtected = false
    | extend TargetsSensitivePath = ProcessCommandLine has_any (SensitivePaths)
    | extend MultiVolume = false
    | extend OutputToTemp = ProcessCommandLine has_any ("\\temp\\", "\\tmp\\", "\\programdata\\")
    | extend DetectionSource = "CabinetTool"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine,
             PasswordProtected, TargetsSensitivePath, MultiVolume, OutputToTemp, DetectionSource
)
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators using 7-Zip or WinRAR for legitimate backup or file transfer operations
Backup software agents (Veeam, Commvault, Acronis) that invoke archive utilities as part of scheduled backup jobs
Software packaging tools and CI/CD pipelines that compress build artifacts before deployment
IT operations compressing log files or diagnostic data for vendor support cases
makecab.exe invoked by Windows Update, software installers, and MSI packages as part of normal installation routines

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
| eval Image=lower(Image), CommandLine=lower(CommandLine)
| eval IsArchiveTool=if(match(Image, "(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|winzip32\.exe|winzip64\.exe|makecab\.exe|diantz\.exe|zip\.exe)"), 1, 0)
| eval IsCertutilEncode=if(match(Image, "certutil\.exe") AND match(CommandLine, "(-encode|-encodehex|/encode|/encodehex)"), 1, 0)
| where IsArchiveTool=1 OR IsCertutilEncode=1
| eval PasswordProtected=if(match(CommandLine, "(-p\s|-hp\s|password)"), 1, 0)
| eval TargetsSensitivePath=if(match(CommandLine, "(ntds|lsass|\\\\sam|\\\\users\\\\|\\\\documents|\\\\desktop|\\\\appdata)"), 1, 0)
| eval MultiVolume=if(match(CommandLine, "(-v\d|-v\s)"), 1, 0)
| eval OutputToTemp=if(match(CommandLine, "(\\\\temp\\\\|\\\\tmp\\\\|\\\\programdata\\\\|\\\\appdata\\\\)"), 1, 0)
| eval SuspicionScore=PasswordProtected + TargetsSensitivePath + MultiVolume + OutputToTemp
| eval DetectionSource=case(
    IsCertutilEncode=1, "CertutilEncode",
    match(Image, "(makecab|diantz)"), "CabinetTool",
    1=1, "ArchiveTool"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, PasswordProtected, TargetsSensitivePath, MultiVolume, OutputToTemp, SuspicionScore, DetectionSource
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators using 7-Zip or WinRAR for legitimate backup or file transfer operations
Backup software agents (Veeam, Commvault, Acronis) that invoke archive utilities as child processes
Software packaging tools and CI/CD pipelines that compress build artifacts before deployment
IT operations compressing log files or diagnostic data for vendor support cases
makecab.exe invoked by Windows Update and MSI installers during normal software installation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("CommandLine") MATCHES '.*(-p\s|-hp\s|password).*' THEN 1 ELSE 0
  END AS password_protected,
  CASE
    WHEN LOWER("CommandLine") MATCHES '.*(ntds|lsass|\\sam|\\users\\|\\documents|\\desktop|\\appdata|inetpub).*' THEN 1 ELSE 0
  END AS targets_sensitive_path,
  CASE
    WHEN LOWER("CommandLine") MATCHES '.*(-v\d+|-v\s).*' THEN 1 ELSE 0
  END AS multi_volume,
  CASE
    WHEN LOWER("CommandLine") MATCHES '.*(\\temp\\|\\tmp\\|\\programdata\\|\\appdata\\).*' THEN 1 ELSE 0
  END AS output_to_temp
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 296)
  AND "EventID" IN ('1', '4688')
  AND (
    (
      LOWER("Image") MATCHES '.*(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|winzip32\.exe|winzip64\.exe|makecab\.exe|diantz\.exe|zip\.exe)$'
      AND (
        LOWER("CommandLine") MATCHES '.*(-p\s|-hp\s|password|\sa\s|-r\s|-v\d|-ep).*'
        OR LOWER("CommandLine") MATCHES '.*(ntds|lsass|\\sam|\\users\\|documents|desktop|appdata|inetpub).*'
      )
    )
    OR (
      LOWER("Image") MATCHES '.*certutil\.exe$'
      AND LOWER("CommandLine") MATCHES '.*(-encode|-encodehex|\/encode|\/encodehex).*'
    )
  )
  AND DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
ORDER BY devicetime DESC
LIMIT 500

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (EventID 4688) Sysmon via Windows Event Log (EventID 1) QRadar DSM for Windows

Required Tables

events

False Positives

Automated backup jobs run by IT operations using 7-Zip to compress and archive data to network shares or temp locations
Software development build systems using makecab or diantz to package installation cabinet files for distribution
System administrators using certutil -encode for certificate management or legitimate file encoding operations

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as command_line nodrop
| parse field=Image "*" as image_path nodrop
| eval image_lower = toLowerCase(image_path)
| eval cmd_lower = toLowerCase(command_line)
| where (
    (
      image_lower matches "*(7z.exe|7za.exe|7zr.exe|rar.exe|winrar.exe|winzip32.exe|winzip64.exe|makecab.exe|diantz.exe|zip.exe)"
      and (
        cmd_lower matches "*-p *" or cmd_lower matches "*-hp *" or cmd_lower contains "password"
        or cmd_lower matches "* a " or cmd_lower matches "*-r " or cmd_lower matches "*-v*"
        or cmd_lower matches "*-ep*"
        or cmd_lower contains "ntds" or cmd_lower contains "lsass"
        or cmd_lower contains "\\users\\" or cmd_lower contains "\\documents"
        or cmd_lower contains "\\desktop" or cmd_lower contains "\\appdata"
        or cmd_lower contains "inetpub"
      )
    )
    or (
      image_lower matches "*certutil.exe"
      and (
        cmd_lower contains "-encode" or cmd_lower contains "-encodehex"
        or cmd_lower contains "/encode" or cmd_lower contains "/encodehex"
      )
    )
    or (
      (image_lower matches "*makecab.exe" or image_lower matches "*diantz.exe")
      and not (cmd_lower contains "windows\\" or cmd_lower contains "system32\\")
    )
  )
| eval password_protected = if(cmd_lower matches "*(-p |/-hp |password)*", 1, 0)
| eval targets_sensitive_path = if(
    cmd_lower contains "ntds" or cmd_lower contains "lsass" or cmd_lower contains "\\sam"
    or cmd_lower contains "\\users\\" or cmd_lower contains "\\documents"
    or cmd_lower contains "\\desktop" or cmd_lower contains "\\appdata", 1, 0)
| eval multi_volume = if(cmd_lower matches "*-v[0-9]*", 1, 0)
| eval output_to_temp = if(
    cmd_lower contains "\\temp\\" or cmd_lower contains "\\tmp\\"
    or cmd_lower contains "\\programdata\\" or cmd_lower contains "\\appdata\\", 1, 0)
| eval suspicion_score = password_protected + targets_sensitive_path + multi_volume + output_to_temp
| eval detection_source = if(image_lower matches "*certutil.exe", "CertutilEncode",
    if(image_lower matches "*(makecab|diantz).exe", "CabinetTool", "ArchiveTool"))
| fields _messageTime, Computer, User, image_path, command_line, ParentImage, ParentCommandLine,
         password_protected, targets_sensitive_path, multi_volume, output_to_temp,
         suspicion_score, detection_source
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon (Microsoft-Windows-Sysmon/Operational) Windows Security Event Log Sumo Logic Windows Collection Agent

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Enterprise backup solutions using 7-Zip or WinRAR with password protection to archive user documents to network shares as part of data protection policies
DevOps CI/CD pipelines invoking makecab or diantz to package Windows software installers, particularly in directories matching the suspicious path patterns
PKI administrators using certutil -encode to base64-encode certificate files or PKCS bundles for distribution to endpoints

Google Chronicle / SecOps

yaral

rule t1560_001_archive_via_utility {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects use of archive utilities and certutil encoding for data staging prior to exfiltration (T1560.001)"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1560.001"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1560/001/"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $proc_path
    $e.target.process.command_line = $cmdline

    (
      (
        re.regex($e.target.process.file.full_path,
          `(?i)(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|winzip32\.exe|winzip64\.exe|makecab\.exe|diantz\.exe|zip\.exe)$`
        )
        and
        (
          re.regex($e.target.process.command_line,
            `(?i)(-p\s|-hp\s|password|\sa\s|-r\s|-v\d|-ep[23]?)`
          )
          or
          re.regex($e.target.process.command_line,
            `(?i)(\\ntds|\\lsass|\\sam|\\users\\|\\documents|\\desktop|\\appdata|\\inetpub)`
          )
        )
      )
      or
      (
        re.regex($e.target.process.file.full_path, `(?i)certutil\.exe$`)
        and
        re.regex($e.target.process.command_line,
          `(?i)(-encode|-encodehex|\/encode|\/encodehex)`
        )
      )
      or
      (
        re.regex($e.target.process.file.full_path, `(?i)(makecab\.exe|diantz\.exe)$`)
        and
        not re.regex($e.target.process.command_line, `(?i)(windows\\\\|system32\\\\)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM via Forwarder (Windows Event Logs, Sysmon) Chronicle Endpoint Detection (CrowdStrike, Carbon Black, SentinelOne ingestion)

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Legitimate enterprise backup automation using WinRAR or 7-Zip with password-protected archives to protect backup integrity stored in ProgramData or AppData directories
Software packaging workflows on build servers where makecab or diantz compress application files to paths not under Windows/System32 but still benign
Security operations tooling or forensic software that uses certutil -encode to prepare files for analysis or transfer

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|winzip32\.exe|winzip64\.exe|makecab\.exe|diantz\.exe|zip\.exe|certutil\.exe)$/
| CommandLine != ""
| eval IsArchiveTool = if(ImageFileName =~ /(?i)(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|winzip32\.exe|winzip64\.exe|zip\.exe)$/, true, false)
| eval IsCertutil = if(ImageFileName =~ /(?i)certutil\.exe$/, true, false)
| eval IsCabinetTool = if(ImageFileName =~ /(?i)(makecab|diantz)\.exe$/, true, false)
| eval PasswordProtected = if(CommandLine =~ /(?i)(-p\s|-hp\s|password)/, 1, 0)
| eval TargetsSensitivePath = if(CommandLine =~ /(?i)(\\ntds|\\lsass|\\sam|\\users\\|\\documents|\\desktop|\\appdata|\\inetpub)/, 1, 0)
| eval MultiVolume = if(CommandLine =~ /(?i)-v\d/, 1, 0)
| eval OutputToTemp = if(CommandLine =~ /(?i)(\\temp\\|\\tmp\\|\\programdata\\|\\appdata\\)/, 1, 0)
| eval CertutilEncode = if(IsCertutil and CommandLine =~ /(?i)(-encode|-encodehex|\/encode|\/encodehex)/, 1, 0)
| eval ArchiveWithFlags = if(IsArchiveTool and (CommandLine =~ /(?i)(\sa\s|-r\s|-v\d|-ep[23]?|-p\s|-hp\s|password)/ or TargetsSensitivePath = 1), 1, 0)
| eval CabinetSuspicious = if(IsCabinetTool and CommandLine !~ /(?i)(windows\\|system32\\)/, 1, 0)
| where ArchiveWithFlags = 1 OR CertutilEncode = 1 OR CabinetSuspicious = 1
| eval SuspicionScore = PasswordProtected + TargetsSensitivePath + MultiVolume + OutputToTemp
| eval DetectionSource = if(CertutilEncode = 1, "CertutilEncode", if(CabinetSuspicious = 1, "CabinetTool", "ArchiveTool"))
| table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, PasswordProtected, TargetsSensitivePath, MultiVolume, OutputToTemp, SuspicionScore, DetectionSource]
| sort @timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (ProcessRollup2 events) CrowdStrike Falcon LogScale / Humio

Required Tables

ProcessRollup2

False Positives

Authorized backup agents using 7-Zip or WinRAR with password protection to encrypt and compress endpoint data to local staging directories before cloud upload
Windows system maintenance routines invoking makecab or diantz to compress log or diagnostic files outside of System32 paths, such as in ProgramData subdirectories
IT provisioning scripts using certutil -encode to prepare binary payloads or certificates for deployment via GPO or endpoint management tools

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1560.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Archive via Utility

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections