Detect Archive via Utility in Splunk
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier or more secure to transport. Adversaries may abuse utilities such as 7-Zip, WinRAR, WinZip, tar, zip, and Windows built-ins like makecab/diantz and certutil to stage data for exfiltration. Password-protected archives are a common indicator as they prevent inspection by security tools. Threat actors including HAFNIUM, APT1, APT33, Volt Typhoon, Mustang Panda, menuPass, and Wizard Spider are documented using this technique.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1560 Archive Collected Data
- Sub-technique
- T1560.001 Archive via Utility
- Canonical reference
- https://attack.mitre.org/techniques/T1560/001/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
| eval Image=lower(Image), CommandLine=lower(CommandLine)
| eval IsArchiveTool=if(match(Image, "(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|winzip32\.exe|winzip64\.exe|makecab\.exe|diantz\.exe|zip\.exe)"), 1, 0)
| eval IsCertutilEncode=if(match(Image, "certutil\.exe") AND match(CommandLine, "(-encode|-encodehex|/encode|/encodehex)"), 1, 0)
| where IsArchiveTool=1 OR IsCertutilEncode=1
| eval PasswordProtected=if(match(CommandLine, "(-p\s|-hp\s|password)"), 1, 0)
| eval TargetsSensitivePath=if(match(CommandLine, "(ntds|lsass|\\\\sam|\\\\users\\\\|\\\\documents|\\\\desktop|\\\\appdata)"), 1, 0)
| eval MultiVolume=if(match(CommandLine, "(-v\d|-v\s)"), 1, 0)
| eval OutputToTemp=if(match(CommandLine, "(\\\\temp\\\\|\\\\tmp\\\\|\\\\programdata\\\\|\\\\appdata\\\\)"), 1, 0)
| eval SuspicionScore=PasswordProtected + TargetsSensitivePath + MultiVolume + OutputToTemp
| eval DetectionSource=case(
IsCertutilEncode=1, "CertutilEncode",
match(Image, "(makecab|diantz)"), "CabinetTool",
1=1, "ArchiveTool"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, PasswordProtected, TargetsSensitivePath, MultiVolume, OutputToTemp, SuspicionScore, DetectionSource
| sort - _timeDetects pre-exfiltration data archiving using Sysmon Event ID 1 (Process Create). Identifies third-party archive tools (7-Zip, WinRAR, WinZip), Windows cabinet tools (makecab, diantz), and certutil Base64 encoding. Scores events based on password protection, sensitive path targeting, multi-volume flags, and staging directory output. Higher suspicion scores indicate higher fidelity alerts.
Data Sources
Required Sourcetypes
False Positives & Tuning
- System administrators using 7-Zip or WinRAR for legitimate backup or file transfer operations
- Backup software agents (Veeam, Commvault, Acronis) that invoke archive utilities as child processes
- Software packaging tools and CI/CD pipelines that compress build artifacts before deployment
- IT operations compressing log files or diagnostic data for vendor support cases
- makecab.exe invoked by Windows Update and MSI installers during normal software installation
Other platforms for T1560.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 17-Zip Password-Protected Archive of User Documents
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\7-Zip\7z.exe, CommandLine containing '-p' (password flag), input path in user Documents, output path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate for C:\Windows\Temp\staged_data.zip. Security Event ID 4688 if command line auditing is enabled.
- Test 2WinRAR Multi-Volume Password-Protected Archive
Expected signal: Sysmon Event ID 1: Process Create with Image containing rar.exe, CommandLine containing '-hp' (header password), '-v50m' (multi-volume 50MB), and output path in C:\ProgramData. Sysmon Event ID 11: FileCreate events for each archive volume (svc_backup.part1.rar, svc_backup.part2.rar, etc.).
- Test 3certutil Base64 Encoding of Collected File
Expected signal: Sysmon Event ID 1 (first): Process Create for cmd.exe writing collected_data.txt. Sysmon Event ID 11: FileCreate for collected_data.txt. Sysmon Event ID 1 (second): Process Create with Image=certutil.exe, CommandLine containing '-encode', input file path, and output file path. Sysmon Event ID 11: FileCreate for encoded_output.b64.
- Test 4makecab Cabinet File Creation for Data Staging
Expected signal: Sysmon Event ID 1: Process Create with Image=makecab.exe, CommandLine containing source file path and output .cab path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate events for archive_output.cab, setup.inf, and setup.rpt (makecab side-effect files). Security Event ID 4688 if command line auditing enabled.
References (12)
- https://attack.mitre.org/techniques/T1560/001/
- https://www.7-zip.org/
- https://www.rarlab.com/
- https://www.winzip.com/win/en/
- https://lolbas-project.github.io/lolbas/Binaries/Diantz/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
- https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.secureworks.com/blog/volt-typhoon-targets-us-critical-infrastructure
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.mandiant.com/resources/reports/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/makecab
Unlock Pro Content
Get the full detection package for T1560.001 including response playbook, investigation guide, and atomic red team tests.