T1560.001 Sumo Logic CSE · Sumo

Detect Archive via Utility in Sumo Logic CSE

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier or more secure to transport. Adversaries may abuse utilities such as 7-Zip, WinRAR, WinZip, tar, zip, and Windows built-ins like makecab/diantz and certutil to stage data for exfiltration. Password-protected archives are a common indicator as they prevent inspection by security tools. Threat actors including HAFNIUM, APT1, APT33, Volt Typhoon, Mustang Panda, menuPass, and Wizard Spider are documented using this technique.

MITRE ATT&CK

Tactic
Collection
Technique
T1560 Archive Collected Data
Sub-technique
T1560.001 Archive via Utility
Canonical reference
https://attack.mitre.org/techniques/T1560/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as command_line nodrop
| parse field=Image "*" as image_path nodrop
| eval image_lower = toLowerCase(image_path)
| eval cmd_lower = toLowerCase(command_line)
| where (
    (
      image_lower matches "*(7z.exe|7za.exe|7zr.exe|rar.exe|winrar.exe|winzip32.exe|winzip64.exe|makecab.exe|diantz.exe|zip.exe)"
      and (
        cmd_lower matches "*-p *" or cmd_lower matches "*-hp *" or cmd_lower contains "password"
        or cmd_lower matches "* a " or cmd_lower matches "*-r " or cmd_lower matches "*-v*"
        or cmd_lower matches "*-ep*"
        or cmd_lower contains "ntds" or cmd_lower contains "lsass"
        or cmd_lower contains "\\users\\" or cmd_lower contains "\\documents"
        or cmd_lower contains "\\desktop" or cmd_lower contains "\\appdata"
        or cmd_lower contains "inetpub"
      )
    )
    or (
      image_lower matches "*certutil.exe"
      and (
        cmd_lower contains "-encode" or cmd_lower contains "-encodehex"
        or cmd_lower contains "/encode" or cmd_lower contains "/encodehex"
      )
    )
    or (
      (image_lower matches "*makecab.exe" or image_lower matches "*diantz.exe")
      and not (cmd_lower contains "windows\\" or cmd_lower contains "system32\\")
    )
  )
| eval password_protected = if(cmd_lower matches "*(-p |/-hp |password)*", 1, 0)
| eval targets_sensitive_path = if(
    cmd_lower contains "ntds" or cmd_lower contains "lsass" or cmd_lower contains "\\sam"
    or cmd_lower contains "\\users\\" or cmd_lower contains "\\documents"
    or cmd_lower contains "\\desktop" or cmd_lower contains "\\appdata", 1, 0)
| eval multi_volume = if(cmd_lower matches "*-v[0-9]*", 1, 0)
| eval output_to_temp = if(
    cmd_lower contains "\\temp\\" or cmd_lower contains "\\tmp\\"
    or cmd_lower contains "\\programdata\\" or cmd_lower contains "\\appdata\\", 1, 0)
| eval suspicion_score = password_protected + targets_sensitive_path + multi_volume + output_to_temp
| eval detection_source = if(image_lower matches "*certutil.exe", "CertutilEncode",
    if(image_lower matches "*(makecab|diantz).exe", "CabinetTool", "ArchiveTool"))
| fields _messageTime, Computer, User, image_path, command_line, ParentImage, ParentCommandLine,
         password_protected, targets_sensitive_path, multi_volume, output_to_temp,
         suspicion_score, detection_source
| sort by _messageTime desc
high severity high confidence

Sumo Logic query detecting archive utility abuse and certutil encoding indicative of T1560.001 data staging. Parses Sysmon Event ID 1 and Windows Security Event 4688 logs to identify 7-Zip, WinRAR, makecab, diantz, zip, and certutil usage with suspicious flags, sensitive path targeting, password protection, multi-volume splits, and output to staging directories. Computes a suspicion score for prioritization.

Data Sources

Sysmon (Microsoft-Windows-Sysmon/Operational)Windows Security Event LogSumo Logic Windows Collection Agent

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=windows/security

False Positives & Tuning

  • Enterprise backup solutions using 7-Zip or WinRAR with password protection to archive user documents to network shares as part of data protection policies
  • DevOps CI/CD pipelines invoking makecab or diantz to package Windows software installers, particularly in directories matching the suspicious path patterns
  • PKI administrators using certutil -encode to base64-encode certificate files or PKCS bundles for distribution to endpoints
Download portable Sigma rule (.yml)

Other platforms for T1560.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 17-Zip Password-Protected Archive of User Documents

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\7-Zip\7z.exe, CommandLine containing '-p' (password flag), input path in user Documents, output path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate for C:\Windows\Temp\staged_data.zip. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2WinRAR Multi-Volume Password-Protected Archive

    Expected signal: Sysmon Event ID 1: Process Create with Image containing rar.exe, CommandLine containing '-hp' (header password), '-v50m' (multi-volume 50MB), and output path in C:\ProgramData. Sysmon Event ID 11: FileCreate events for each archive volume (svc_backup.part1.rar, svc_backup.part2.rar, etc.).

  3. Test 3certutil Base64 Encoding of Collected File

    Expected signal: Sysmon Event ID 1 (first): Process Create for cmd.exe writing collected_data.txt. Sysmon Event ID 11: FileCreate for collected_data.txt. Sysmon Event ID 1 (second): Process Create with Image=certutil.exe, CommandLine containing '-encode', input file path, and output file path. Sysmon Event ID 11: FileCreate for encoded_output.b64.

  4. Test 4makecab Cabinet File Creation for Data Staging

    Expected signal: Sysmon Event ID 1: Process Create with Image=makecab.exe, CommandLine containing source file path and output .cab path in C:\Windows\Temp. Sysmon Event ID 11: FileCreate events for archive_output.cab, setup.inf, and setup.rpt (makecab side-effect files). Security Event ID 4688 if command line auditing enabled.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1560.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1560Archive Collected Data

Related Sub-techniques

T1560.002Archive via LibraryT1560.003Archive via Custom Method

Related Techniques

T1560Archive Collected DataT1560.002Archive via LibraryT1560.003Archive via Custom MethodT1074.001Local Data StagingT1074.002Remote Data StagingT1048Exfiltration Over Alternative ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1041Exfiltration Over C2 ChannelT1003.003NTDST1003.001LSASS MemoryT1005Data from Local System

Same Tactic: Collection

Popular Detections