Detect Archive via Utility in IBM QRadar
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier or more secure to transport. Adversaries may abuse utilities such as 7-Zip, WinRAR, WinZip, tar, zip, and Windows built-ins like makecab/diantz and certutil to stage data for exfiltration. Password-protected archives are a common indicator as they prevent inspection by security tools. Threat actors including HAFNIUM, APT1, APT33, Volt Typhoon, Mustang Panda, menuPass, and Wizard Spider are documented using this technique.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1560 Archive Collected Data
- Sub-technique
- T1560.001 Archive via Utility
- Canonical reference
- https://attack.mitre.org/techniques/T1560/001/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
sourceip,
username,
"Image" AS process_image,
"CommandLine" AS command_line,
"ParentImage" AS parent_image,
CASE
WHEN LOWER("CommandLine") MATCHES '.*(-p\s|-hp\s|password).*' THEN 1 ELSE 0
END AS password_protected,
CASE
WHEN LOWER("CommandLine") MATCHES '.*(ntds|lsass|\\sam|\\users\\|\\documents|\\desktop|\\appdata|inetpub).*' THEN 1 ELSE 0
END AS targets_sensitive_path,
CASE
WHEN LOWER("CommandLine") MATCHES '.*(-v\d+|-v\s).*' THEN 1 ELSE 0
END AS multi_volume,
CASE
WHEN LOWER("CommandLine") MATCHES '.*(\\temp\\|\\tmp\\|\\programdata\\|\\appdata\\).*' THEN 1 ELSE 0
END AS output_to_temp
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) IN (12, 13, 296)
AND "EventID" IN ('1', '4688')
AND (
(
LOWER("Image") MATCHES '.*(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|winzip32\.exe|winzip64\.exe|makecab\.exe|diantz\.exe|zip\.exe)$'
AND (
LOWER("CommandLine") MATCHES '.*(-p\s|-hp\s|password|\sa\s|-r\s|-v\d|-ep).*'
OR LOWER("CommandLine") MATCHES '.*(ntds|lsass|\\sam|\\users\\|documents|desktop|appdata|inetpub).*'
)
)
OR (
LOWER("Image") MATCHES '.*certutil\.exe$'
AND LOWER("CommandLine") MATCHES '.*(-encode|-encodehex|\/encode|\/encodehex).*'
)
)
AND DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
ORDER BY devicetime DESC
LIMIT 500AQL query for IBM QRadar detecting archive utility abuse (7z, rar, winrar, makecab, zip) and certutil encoding used for data staging prior to exfiltration. Queries Sysmon Event ID 1 and Windows Security Event 4688 log sources. Enriches events with boolean flags for password protection, sensitive path targeting, multi-volume splitting, and temp directory output.
Data Sources
Required Tables
False Positives & Tuning
- Automated backup jobs run by IT operations using 7-Zip to compress and archive data to network shares or temp locations
- Software development build systems using makecab or diantz to package installation cabinet files for distribution
- System administrators using certutil -encode for certificate management or legitimate file encoding operations
Other platforms for T1560.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 17-Zip Password-Protected Archive of User Documents
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\7-Zip\7z.exe, CommandLine containing '-p' (password flag), input path in user Documents, output path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate for C:\Windows\Temp\staged_data.zip. Security Event ID 4688 if command line auditing is enabled.
- Test 2WinRAR Multi-Volume Password-Protected Archive
Expected signal: Sysmon Event ID 1: Process Create with Image containing rar.exe, CommandLine containing '-hp' (header password), '-v50m' (multi-volume 50MB), and output path in C:\ProgramData. Sysmon Event ID 11: FileCreate events for each archive volume (svc_backup.part1.rar, svc_backup.part2.rar, etc.).
- Test 3certutil Base64 Encoding of Collected File
Expected signal: Sysmon Event ID 1 (first): Process Create for cmd.exe writing collected_data.txt. Sysmon Event ID 11: FileCreate for collected_data.txt. Sysmon Event ID 1 (second): Process Create with Image=certutil.exe, CommandLine containing '-encode', input file path, and output file path. Sysmon Event ID 11: FileCreate for encoded_output.b64.
- Test 4makecab Cabinet File Creation for Data Staging
Expected signal: Sysmon Event ID 1: Process Create with Image=makecab.exe, CommandLine containing source file path and output .cab path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate events for archive_output.cab, setup.inf, and setup.rpt (makecab side-effect files). Security Event ID 4688 if command line auditing enabled.
References (12)
- https://attack.mitre.org/techniques/T1560/001/
- https://www.7-zip.org/
- https://www.rarlab.com/
- https://www.winzip.com/win/en/
- https://lolbas-project.github.io/lolbas/Binaries/Diantz/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
- https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.secureworks.com/blog/volt-typhoon-targets-us-critical-infrastructure
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.mandiant.com/resources/reports/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/makecab
Unlock Pro Content
Get the full detection package for T1560.001 including response playbook, investigation guide, and atomic red team tests.