T1560.001 Elastic Security · Elastic

Detect Archive via Utility in Elastic Security

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier or more secure to transport. Adversaries may abuse utilities such as 7-Zip, WinRAR, WinZip, tar, zip, and Windows built-ins like makecab/diantz and certutil to stage data for exfiltration. Password-protected archives are a common indicator as they prevent inspection by security tools. Threat actors including HAFNIUM, APT1, APT33, Volt Typhoon, Mustang Panda, menuPass, and Wizard Spider are documented using this technique.

MITRE ATT&CK

Tactic
Collection
Technique
T1560 Archive Collected Data
Sub-technique
T1560.001 Archive via Utility
Canonical reference
https://attack.mitre.org/techniques/T1560/001/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=5m
[
  process where event.type == "start" and
  (
    process.name in~ ("7z.exe", "7za.exe", "7zr.exe", "rar.exe", "winrar.exe", "winzip32.exe", "winzip64.exe", "makecab.exe", "diantz.exe", "zip.exe") and
    (
      process.args : ("-p*", "-hp*", "password", "a -", "-r", "-v*", "-ep", "-ep2", "-ep3") or
      process.args : ("*\\ntds*", "*\\lsass*", "*\\sam*", "*\\users\\*", "*\\documents*", "*\\desktop*", "*\\appdata*", "*\\inetpub*")
    )
  ) or
  (
    process.name : "certutil.exe" and
    process.args : ("-encode", "-encodehex", "/encode", "/encodehex")
  ) or
  (
    process.name in~ ("makecab.exe", "diantz.exe") and
    not process.args : ("*windows\\*", "*system32\\*")
  )
]
high severity high confidence

Detects use of archive and encoding utilities (7-Zip, WinRAR, makecab, certutil) with flags or paths indicative of data staging for exfiltration, including password-protected archives, multi-volume splits, sensitive path targeting, and certutil base64 encoding. Covers T1560.001 — Archive via Utility.

Data Sources

Elastic Endpoint SecurityWinlogbeat with SysmonElastic Agent (endpoint.events.process)

Required Tables

logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

  • IT backup scripts using 7-Zip or WinRAR to archive user profiles or application data to temp directories as part of legitimate scheduled maintenance
  • Software packaging pipelines using makecab or diantz to create installer cabinet files, particularly in build servers
  • Security teams using certutil -encode to base64-encode files for transport or testing purposes in authorized red team exercises
Download portable Sigma rule (.yml)

Other platforms for T1560.001

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 17-Zip Password-Protected Archive of User Documents

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\7-Zip\7z.exe, CommandLine containing '-p' (password flag), input path in user Documents, output path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate for C:\Windows\Temp\staged_data.zip. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2WinRAR Multi-Volume Password-Protected Archive

    Expected signal: Sysmon Event ID 1: Process Create with Image containing rar.exe, CommandLine containing '-hp' (header password), '-v50m' (multi-volume 50MB), and output path in C:\ProgramData. Sysmon Event ID 11: FileCreate events for each archive volume (svc_backup.part1.rar, svc_backup.part2.rar, etc.).

  3. Test 3certutil Base64 Encoding of Collected File

    Expected signal: Sysmon Event ID 1 (first): Process Create for cmd.exe writing collected_data.txt. Sysmon Event ID 11: FileCreate for collected_data.txt. Sysmon Event ID 1 (second): Process Create with Image=certutil.exe, CommandLine containing '-encode', input file path, and output file path. Sysmon Event ID 11: FileCreate for encoded_output.b64.

  4. Test 4makecab Cabinet File Creation for Data Staging

    Expected signal: Sysmon Event ID 1: Process Create with Image=makecab.exe, CommandLine containing source file path and output .cab path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate events for archive_output.cab, setup.inf, and setup.rpt (makecab side-effect files). Security Event ID 4688 if command line auditing enabled.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1560.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1560Archive Collected Data

Related Sub-techniques

T1560.002Archive via LibraryT1560.003Archive via Custom Method

Related Techniques

T1560Archive Collected DataT1560.002Archive via LibraryT1560.003Archive via Custom MethodT1074.001Local Data StagingT1074.002Remote Data StagingT1048Exfiltration Over Alternative ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1041Exfiltration Over C2 ChannelT1003.003NTDST1003.001LSASS MemoryT1005Data from Local System

Same Tactic: Collection

Popular Detections