T1560.001 Microsoft Sentinel · KQL

Detect Archive via Utility in Microsoft Sentinel

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier or more secure to transport. Adversaries may abuse utilities such as 7-Zip, WinRAR, WinZip, tar, zip, and Windows built-ins like makecab/diantz and certutil to stage data for exfiltration. Password-protected archives are a common indicator as they prevent inspection by security tools. Threat actors including HAFNIUM, APT1, APT33, Volt Typhoon, Mustang Panda, menuPass, and Wizard Spider are documented using this technique.

MITRE ATT&CK

Tactic
Collection
Technique
T1560 Archive Collected Data
Sub-technique
T1560.001 Archive via Utility
Canonical reference
https://attack.mitre.org/techniques/T1560/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let ArchiveTools = dynamic(["7z.exe", "7za.exe", "7zr.exe", "rar.exe", "winrar.exe", "winzip32.exe", "winzip64.exe", "zip.exe", "makecab.exe", "diantz.exe", "xcopy.exe"]);
let SuspiciousFlags = dynamic(["-p", "-hp", "a -", " a ", "-r ", "-v", "password", "-ep", "-ep2", "-ep3"]);
let SensitivePaths = dynamic(["\\ntds", "\\lsass", "\\sam", "\\system", "\\security", "\\users\\", "\\documents", "\\desktop", "\\appdata", "c:\\windows\\temp", "c:\\programdata", "\\inetpub"]);
union
(
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ (ArchiveTools)
    | where ProcessCommandLine has_any (SuspiciousFlags) or ProcessCommandLine has_any (SensitivePaths)
    | extend PasswordProtected = ProcessCommandLine has_any ("-p", "-hp", "password")
    | extend TargetsSensitivePath = ProcessCommandLine has_any (SensitivePaths)
    | extend MultiVolume = ProcessCommandLine has_any ("-v", "-v1", "-v2", "-v500", "-v1000")
    | extend OutputToTemp = ProcessCommandLine has_any ("\\temp\\", "\\tmp\\", "\\programdata\\", "\\appdata\\")
    | extend DetectionSource = "ArchiveTool"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine,
             PasswordProtected, TargetsSensitivePath, MultiVolume, OutputToTemp, DetectionSource
),
(
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "certutil.exe"
    | where ProcessCommandLine has_any ("-encode", "-encodehex", "/encode", "/encodehex")
    | extend PasswordProtected = false
    | extend TargetsSensitivePath = ProcessCommandLine has_any (SensitivePaths)
    | extend MultiVolume = false
    | extend OutputToTemp = ProcessCommandLine has_any ("\\temp\\", "\\tmp\\", "\\programdata\\")
    | extend DetectionSource = "CertutilEncode"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine,
             PasswordProtected, TargetsSensitivePath, MultiVolume, OutputToTemp, DetectionSource
),
(
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "makecab.exe" or FileName =~ "diantz.exe"
    | where ProcessCommandLine !contains "windows\\ " and ProcessCommandLine !contains "system32\\"
    | extend PasswordProtected = false
    | extend TargetsSensitivePath = ProcessCommandLine has_any (SensitivePaths)
    | extend MultiVolume = false
    | extend OutputToTemp = ProcessCommandLine has_any ("\\temp\\", "\\tmp\\", "\\programdata\\")
    | extend DetectionSource = "CabinetTool"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine,
             PasswordProtected, TargetsSensitivePath, MultiVolume, OutputToTemp, DetectionSource
)
| sort by Timestamp desc
medium severity high confidence

Detects data archiving activity consistent with pre-exfiltration staging using Microsoft Defender for Endpoint DeviceProcessEvents. Covers third-party archive tools (7-Zip, WinRAR, WinZip), Windows built-ins (makecab, diantz), and certutil Base64 encoding. Flags password-protected archives, operations targeting sensitive file paths (ntds.dit, LSASS, user profile directories), multi-volume archives, and output to staging directories. Three separate query branches are unioned to cover different archival methods.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • System administrators using 7-Zip or WinRAR for legitimate backup or file transfer operations
  • Backup software agents (Veeam, Commvault, Acronis) that invoke archive utilities as part of scheduled backup jobs
  • Software packaging tools and CI/CD pipelines that compress build artifacts before deployment
  • IT operations compressing log files or diagnostic data for vendor support cases
  • makecab.exe invoked by Windows Update, software installers, and MSI packages as part of normal installation routines
Download portable Sigma rule (.yml)

Other platforms for T1560.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 17-Zip Password-Protected Archive of User Documents

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\7-Zip\7z.exe, CommandLine containing '-p' (password flag), input path in user Documents, output path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate for C:\Windows\Temp\staged_data.zip. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2WinRAR Multi-Volume Password-Protected Archive

    Expected signal: Sysmon Event ID 1: Process Create with Image containing rar.exe, CommandLine containing '-hp' (header password), '-v50m' (multi-volume 50MB), and output path in C:\ProgramData. Sysmon Event ID 11: FileCreate events for each archive volume (svc_backup.part1.rar, svc_backup.part2.rar, etc.).

  3. Test 3certutil Base64 Encoding of Collected File

    Expected signal: Sysmon Event ID 1 (first): Process Create for cmd.exe writing collected_data.txt. Sysmon Event ID 11: FileCreate for collected_data.txt. Sysmon Event ID 1 (second): Process Create with Image=certutil.exe, CommandLine containing '-encode', input file path, and output file path. Sysmon Event ID 11: FileCreate for encoded_output.b64.

  4. Test 4makecab Cabinet File Creation for Data Staging

    Expected signal: Sysmon Event ID 1: Process Create with Image=makecab.exe, CommandLine containing source file path and output .cab path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate events for archive_output.cab, setup.inf, and setup.rpt (makecab side-effect files). Security Event ID 4688 if command line auditing enabled.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1560.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1560Archive Collected Data

Related Sub-techniques

T1560.002Archive via LibraryT1560.003Archive via Custom Method

Related Techniques

T1560Archive Collected DataT1560.002Archive via LibraryT1560.003Archive via Custom MethodT1074.001Local Data StagingT1074.002Remote Data StagingT1048Exfiltration Over Alternative ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1041Exfiltration Over C2 ChannelT1003.003NTDST1003.001LSASS MemoryT1005Data from Local System

Same Tactic: Collection

Popular Detections