Detect Archive via Utility in Google Chronicle
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier or more secure to transport. Adversaries may abuse utilities such as 7-Zip, WinRAR, WinZip, tar, zip, and Windows built-ins like makecab/diantz and certutil to stage data for exfiltration. Password-protected archives are a common indicator as they prevent inspection by security tools. Threat actors including HAFNIUM, APT1, APT33, Volt Typhoon, Mustang Panda, menuPass, and Wizard Spider are documented using this technique.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1560 Archive Collected Data
- Sub-technique
- T1560.001 Archive via Utility
- Canonical reference
- https://attack.mitre.org/techniques/T1560/001/
YARA-L Detection Query
rule t1560_001_archive_via_utility {
meta:
author = "Argus Detection Engineering"
description = "Detects use of archive utilities and certutil encoding for data staging prior to exfiltration (T1560.001)"
mitre_attack_tactic = "Collection"
mitre_attack_technique = "T1560.001"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1560/001/"
created = "2026-04-13"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname = $hostname
$e.target.process.file.full_path = $proc_path
$e.target.process.command_line = $cmdline
(
(
re.regex($e.target.process.file.full_path,
`(?i)(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|winzip32\.exe|winzip64\.exe|makecab\.exe|diantz\.exe|zip\.exe)$`
)
and
(
re.regex($e.target.process.command_line,
`(?i)(-p\s|-hp\s|password|\sa\s|-r\s|-v\d|-ep[23]?)`
)
or
re.regex($e.target.process.command_line,
`(?i)(\\ntds|\\lsass|\\sam|\\users\\|\\documents|\\desktop|\\appdata|\\inetpub)`
)
)
)
or
(
re.regex($e.target.process.file.full_path, `(?i)certutil\.exe$`)
and
re.regex($e.target.process.command_line,
`(?i)(-encode|-encodehex|\/encode|\/encodehex)`
)
)
or
(
re.regex($e.target.process.file.full_path, `(?i)(makecab\.exe|diantz\.exe)$`)
and
not re.regex($e.target.process.command_line, `(?i)(windows\\\\|system32\\\\)`)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1560.001 archive utility abuse. Matches process launch events where archive tools (7z, rar, winrar, zip, makecab, diantz) are invoked with password protection, recursive, multi-volume, or sensitive path flags, or where certutil is used with encoding flags. Uses UDM event model with principal/target process fields.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate enterprise backup automation using WinRAR or 7-Zip with password-protected archives to protect backup integrity stored in ProgramData or AppData directories
- Software packaging workflows on build servers where makecab or diantz compress application files to paths not under Windows/System32 but still benign
- Security operations tooling or forensic software that uses certutil -encode to prepare files for analysis or transfer
Other platforms for T1560.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 17-Zip Password-Protected Archive of User Documents
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\7-Zip\7z.exe, CommandLine containing '-p' (password flag), input path in user Documents, output path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate for C:\Windows\Temp\staged_data.zip. Security Event ID 4688 if command line auditing is enabled.
- Test 2WinRAR Multi-Volume Password-Protected Archive
Expected signal: Sysmon Event ID 1: Process Create with Image containing rar.exe, CommandLine containing '-hp' (header password), '-v50m' (multi-volume 50MB), and output path in C:\ProgramData. Sysmon Event ID 11: FileCreate events for each archive volume (svc_backup.part1.rar, svc_backup.part2.rar, etc.).
- Test 3certutil Base64 Encoding of Collected File
Expected signal: Sysmon Event ID 1 (first): Process Create for cmd.exe writing collected_data.txt. Sysmon Event ID 11: FileCreate for collected_data.txt. Sysmon Event ID 1 (second): Process Create with Image=certutil.exe, CommandLine containing '-encode', input file path, and output file path. Sysmon Event ID 11: FileCreate for encoded_output.b64.
- Test 4makecab Cabinet File Creation for Data Staging
Expected signal: Sysmon Event ID 1: Process Create with Image=makecab.exe, CommandLine containing source file path and output .cab path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate events for archive_output.cab, setup.inf, and setup.rpt (makecab side-effect files). Security Event ID 4688 if command line auditing enabled.
References (12)
- https://attack.mitre.org/techniques/T1560/001/
- https://www.7-zip.org/
- https://www.rarlab.com/
- https://www.winzip.com/win/en/
- https://lolbas-project.github.io/lolbas/Binaries/Diantz/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
- https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.secureworks.com/blog/volt-typhoon-targets-us-critical-infrastructure
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.mandiant.com/resources/reports/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/makecab
Unlock Pro Content
Get the full detection package for T1560.001 including response playbook, investigation guide, and atomic red team tests.