Detect Archive via Utility in CrowdStrike LogScale
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier or more secure to transport. Adversaries may abuse utilities such as 7-Zip, WinRAR, WinZip, tar, zip, and Windows built-ins like makecab/diantz and certutil to stage data for exfiltration. Password-protected archives are a common indicator as they prevent inspection by security tools. Threat actors including HAFNIUM, APT1, APT33, Volt Typhoon, Mustang Panda, menuPass, and Wizard Spider are documented using this technique.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1560 Archive Collected Data
- Sub-technique
- T1560.001 Archive via Utility
- Canonical reference
- https://attack.mitre.org/techniques/T1560/001/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|winzip32\.exe|winzip64\.exe|makecab\.exe|diantz\.exe|zip\.exe|certutil\.exe)$/
| CommandLine != ""
| eval IsArchiveTool = if(ImageFileName =~ /(?i)(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|winzip32\.exe|winzip64\.exe|zip\.exe)$/, true, false)
| eval IsCertutil = if(ImageFileName =~ /(?i)certutil\.exe$/, true, false)
| eval IsCabinetTool = if(ImageFileName =~ /(?i)(makecab|diantz)\.exe$/, true, false)
| eval PasswordProtected = if(CommandLine =~ /(?i)(-p\s|-hp\s|password)/, 1, 0)
| eval TargetsSensitivePath = if(CommandLine =~ /(?i)(\\ntds|\\lsass|\\sam|\\users\\|\\documents|\\desktop|\\appdata|\\inetpub)/, 1, 0)
| eval MultiVolume = if(CommandLine =~ /(?i)-v\d/, 1, 0)
| eval OutputToTemp = if(CommandLine =~ /(?i)(\\temp\\|\\tmp\\|\\programdata\\|\\appdata\\)/, 1, 0)
| eval CertutilEncode = if(IsCertutil and CommandLine =~ /(?i)(-encode|-encodehex|\/encode|\/encodehex)/, 1, 0)
| eval ArchiveWithFlags = if(IsArchiveTool and (CommandLine =~ /(?i)(\sa\s|-r\s|-v\d|-ep[23]?|-p\s|-hp\s|password)/ or TargetsSensitivePath = 1), 1, 0)
| eval CabinetSuspicious = if(IsCabinetTool and CommandLine !~ /(?i)(windows\\|system32\\)/, 1, 0)
| where ArchiveWithFlags = 1 OR CertutilEncode = 1 OR CabinetSuspicious = 1
| eval SuspicionScore = PasswordProtected + TargetsSensitivePath + MultiVolume + OutputToTemp
| eval DetectionSource = if(CertutilEncode = 1, "CertutilEncode", if(CabinetSuspicious = 1, "CabinetTool", "ArchiveTool"))
| table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, PasswordProtected, TargetsSensitivePath, MultiVolume, OutputToTemp, SuspicionScore, DetectionSource]
| sort @timestamp descCrowdStrike LogScale (CQL) query detecting T1560.001 archive utility abuse using Falcon ProcessRollup2 events. Identifies 7-Zip, WinRAR, zip, makecab, diantz, and certutil invocations with flags and path patterns indicative of data staging for exfiltration. Computes boolean enrichment fields and a suspicion score for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Authorized backup agents using 7-Zip or WinRAR with password protection to encrypt and compress endpoint data to local staging directories before cloud upload
- Windows system maintenance routines invoking makecab or diantz to compress log or diagnostic files outside of System32 paths, such as in ProgramData subdirectories
- IT provisioning scripts using certutil -encode to prepare binary payloads or certificates for deployment via GPO or endpoint management tools
Other platforms for T1560.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 17-Zip Password-Protected Archive of User Documents
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\7-Zip\7z.exe, CommandLine containing '-p' (password flag), input path in user Documents, output path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate for C:\Windows\Temp\staged_data.zip. Security Event ID 4688 if command line auditing is enabled.
- Test 2WinRAR Multi-Volume Password-Protected Archive
Expected signal: Sysmon Event ID 1: Process Create with Image containing rar.exe, CommandLine containing '-hp' (header password), '-v50m' (multi-volume 50MB), and output path in C:\ProgramData. Sysmon Event ID 11: FileCreate events for each archive volume (svc_backup.part1.rar, svc_backup.part2.rar, etc.).
- Test 3certutil Base64 Encoding of Collected File
Expected signal: Sysmon Event ID 1 (first): Process Create for cmd.exe writing collected_data.txt. Sysmon Event ID 11: FileCreate for collected_data.txt. Sysmon Event ID 1 (second): Process Create with Image=certutil.exe, CommandLine containing '-encode', input file path, and output file path. Sysmon Event ID 11: FileCreate for encoded_output.b64.
- Test 4makecab Cabinet File Creation for Data Staging
Expected signal: Sysmon Event ID 1: Process Create with Image=makecab.exe, CommandLine containing source file path and output .cab path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate events for archive_output.cab, setup.inf, and setup.rpt (makecab side-effect files). Security Event ID 4688 if command line auditing enabled.
References (12)
- https://attack.mitre.org/techniques/T1560/001/
- https://www.7-zip.org/
- https://www.rarlab.com/
- https://www.winzip.com/win/en/
- https://lolbas-project.github.io/lolbas/Binaries/Diantz/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
- https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.secureworks.com/blog/volt-typhoon-targets-us-critical-infrastructure
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.mandiant.com/resources/reports/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/makecab
Unlock Pro Content
Get the full detection package for T1560.001 including response playbook, investigation guide, and atomic red team tests.