T1560.003

Archive via Custom Method

An adversary may compress or encrypt data collected prior to exfiltration using a custom method rather than standard archive utilities. Custom implementations include XOR loops with static keys, stream ciphers (RC4, ChaCha20), block ciphers (Blowfish), byte rotation schemes, and substitution ciphers — all implemented inline in malware code or scripts without referencing external libraries or system utilities. This technique allows adversaries to transform staged data in a way that evades detection rules targeting standard archivers (7-Zip, WinRAR, zip) while also obfuscating data contents during staging and exfiltration. Threat actors employing this technique include FIN6 (single-byte XOR with key 0xAA, plus Base64 with character permutation), CopyKittens (substitution cipher), and malware families including Attor (custom Blowfish+RSA), BLUELIGHT (XOR binary blob), StrongPity (repeated XOR producing .sft archive parts), Duqu (zlib+XOR), RGDoor (XOR before C2 transmission), RawPOS (XOR-encoded POS card data), and FoggyWeb (dynamic XOR key with WebP steganography).

Microsoft Sentinel / Defender

kusto

let XORKeywords = dynamic([
  "-bxor", "BitXor", "xorkey", "xor_key", "xorBytes", "XorEncrypt",
  "0xAA", "0x23", "bxor 0x", "xor 0x",
  "[byte[]] $key", "ByteXor", "XorFile"
]);
let CustomCryptoKeywords = dynamic([
  "blowfish", " rc4 ", "arcfour", "stream cipher",
  "substitution", "rot13", "rotl(", "rotr(",
  "custom encrypt", "xor cipher", "xor encrypt"
]);
let SuspiciousOutputExtensions = dynamic([
  ".sft", ".enc", ".crypt", ".xor", ".locked", ".rms"
]);
let KnownArchivers = dynamic([
  "7z.exe", "winrar.exe", "winzip.exe", "pkzip.exe",
  "zip.exe", "tar.exe", "gzip.exe", "bzip2.exe"
]);
// Branch 1: Scripting engines with XOR or custom crypto keywords in command line
let ScriptBasedCustomCrypto =
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName in~ ("powershell.exe", "pwsh.exe", "python.exe", "python3.exe",
                        "wscript.exe", "cscript.exe", "cmd.exe")
  | where ProcessCommandLine has_any (XORKeywords)
      or ProcessCommandLine has_any (CustomCryptoKeywords)
  | extend EncryptionType = case(
      ProcessCommandLine has_any (XORKeywords), "XOR-based",
      ProcessCommandLine has_any (CustomCryptoKeywords), "Custom-cipher",
      "Unknown"
    )
  | project Timestamp, DeviceName, AccountName,
           ProcessName = FileName,
           ProcessCommandLine,
           ParentProcess = InitiatingProcessFileName,
           ParentCommandLine = InitiatingProcessCommandLine,
           EncryptionType,
           DetectionBranch = "ScriptCustomCrypto";
// Branch 2: High-volume creation of files with custom encrypted extensions by non-standard processes
let BulkCustomExtensionCreation =
  DeviceFileEvents
  | where Timestamp > ago(24h)
  | where ActionType == "FileCreated"
  | where FileName has_any (SuspiciousOutputExtensions)
  | where not(InitiatingProcessFileName has_any (KnownArchivers))
  | where FolderPath !has ":\\Windows" and FolderPath !has ":\\Program Files"
  | summarize
      FileCount = count(),
      SampleFiles = make_set(FileName, 10),
      Folders = make_set(FolderPath, 3)
    by DeviceName,
       AccountName = InitiatingProcessAccountName,
       ProcessName = InitiatingProcessFileName,
       ProcessCommandLine = InitiatingProcessCommandLine,
       ParentProcess = InitiatingProcessParentFileName,
       ParentCommandLine = InitiatingProcessParentCommandLine,
       bin(Timestamp, 5m)
  | where FileCount >= 5
  | extend EncryptionType = strcat("BulkCustomExtension:", FileCount, " files")
  | project Timestamp, DeviceName, AccountName, ProcessName,
           ProcessCommandLine, ParentProcess, ParentCommandLine,
           EncryptionType, DetectionBranch = "BulkEncryptedFiles";
ScriptBasedCustomCrypto
| union BulkCustomExtensionCreation
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Enterprise backup and DLP software (VeraCrypt preparation scripts, enterprise encryption agents) creating .enc or .crypt files in bulk during scheduled backup operations
Software developers writing and testing custom encryption libraries or XOR-based data serialization code on developer workstations — the -bxor operator has legitimate scripting uses
In-house data processing pipelines or ETL jobs that use custom non-standard file extensions for intermediate processing artifacts
Security assessment tools and penetration testing frameworks implementing XOR transforms during authorized engagements
Ransomware simulation tools (RanSim, SafeKit) used by security teams for testing detection coverage that produce bulk encrypted output files

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe")
| eval CommandLineLower=lower(CommandLine)
| eval XORPattern=if(match(CommandLineLower, "(-bxor|bitxor|xorkey|xor_key|xorbytes|xorencrypt|0xaa|0x23|bxor 0x|bytearray)"), 1, 0)
| eval CustomCrypto=if(match(CommandLineLower, "(\\brc4\\b|arcfour|blowfish|stream.cipher|substitution|rot13|rotl\\(|rotr\\(|custom.encrypt|xor.cipher|xor.encrypt)"), 1, 0)
| eval SuspicionScore=XORPattern + CustomCrypto
| where SuspicionScore > 0
| eval DetectionBranch="ScriptCustomCrypto"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, XORPattern, CustomCrypto, SuspicionScore, DetectionBranch
| append [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
      (TargetFilename="*.sft" OR TargetFilename="*.enc" OR TargetFilename="*.crypt" OR TargetFilename="*.xor" OR TargetFilename="*.locked" OR TargetFilename="*.rms")
      NOT (Image="*\\7z.exe" OR Image="*\\winrar.exe" OR Image="*\\winzip.exe" OR Image="*\\zip.exe" OR Image="*\\tar.exe" OR Image="*\\gzip.exe")
      NOT (TargetFilename="*\\Windows\\*" OR TargetFilename="*\\Program Files\\*")
    | bin _time span=5m
    | stats count as FileCount, values(TargetFilename) as SampleFiles, values(Image) as Images, first(User) as User by host, Image, CommandLine, _time
    | where FileCount >= 5
    | eval DetectionBranch="BulkEncryptedFiles", SuspicionScore=2, XORPattern=0, CustomCrypto=0
    | eval ParentImage="unknown", ParentCommandLine="unknown"
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, XORPattern, CustomCrypto, SuspicionScore, DetectionBranch
  ]
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Enterprise backup and encryption software creating .enc or .crypt files in bulk during scheduled backup operations — exclude by process name and scheduled time window
Software developers writing and testing custom encryption libraries with XOR or RC4 implementations on developer workstations
Custom in-house archival solutions using non-standard file extensions as part of their designed workflow
Security tools and authorized red team frameworks creating files with custom extensions during penetration testing engagements
Ransomware simulation tools (RanSim, SafeKit) used by security teams for validating detection coverage

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    process.name in~ ("powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe", "cmd.exe") and
    (
      process.command_line : ("*-bxor*", "*BitXor*", "*xorkey*", "*xor_key*", "*xorBytes*", "*XorEncrypt*", "*0xAA*", "*0x23*", "*bxor 0x*", "*ByteXor*", "*XorFile*") or
      process.command_line : ("*blowfish*", "* rc4 *", "*arcfour*", "*stream cipher*", "*substitution*", "*rot13*", "*rotl(*", "*rotr(*", "*custom encrypt*", "*xor cipher*", "*xor encrypt*")
    )
  ) or
  (
    event.category == "file" and event.type == "creation" and
    file.extension in~ ("sft", "enc", "crypt", "xor", "locked", "rms") and
    not process.name in~ ("7z.exe", "winrar.exe", "winzip.exe", "pkzip.exe", "zip.exe", "tar.exe", "gzip.exe", "bzip2.exe") and
    not file.path : ("*\\Windows\\*", "*\\Program Files\\*")
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security (ECS process and file events) Winlogbeat with Sysmon module (ECS-normalized) Elastic Agent with Windows integration

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-* .ds-logs-windows.sysmon_operational-*

False Positives

PowerShell administration scripts performing bitwise XOR for legitimate data masking, checksum calculations, or flag manipulation (e.g., AD attribute bitmask checks using -bxor).
Python-based data engineering or ETL pipelines that implement RC4, Blowfish, or XOR for backward-compatible format handling with legacy systems.
Authorized red team or penetration testing tooling invoking custom crypto primitives on systems where an engagement is in progress; cross-reference with change-management records.
Backup or archival agents (Veeam, Acronis custom scripts) that write intermediate encrypted chunks with non-standard extensions before repackaging.
Security research or CTF training environments where XOR encoding is intentionally exercised for educational purposes.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceHost,
  username AS AccountName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  CASE
    WHEN LOWER("Command") LIKE '%-bxor%'
      OR LOWER("Command") LIKE '%bitxor%'
      OR LOWER("Command") LIKE '%xorkey%'
      OR LOWER("Command") LIKE '%xor_key%'
      OR LOWER("Command") LIKE '%xorbytes%'
      OR LOWER("Command") LIKE '%xorencrypt%'
      OR LOWER("Command") LIKE '%0xaa%'
      OR LOWER("Command") LIKE '%0x23%'
      OR LOWER("Command") LIKE '%bytexor%'
      OR LOWER("Command") LIKE '%xorfile%'
      THEN 'XOR-based'
    WHEN LOWER("Command") LIKE '%blowfish%'
      OR LOWER("Command") LIKE '% rc4 %'
      OR LOWER("Command") LIKE '%arcfour%'
      OR LOWER("Command") LIKE '%rot13%'
      OR LOWER("Command") LIKE '%xor cipher%'
      OR LOWER("Command") LIKE '%xor encrypt%'
      OR LOWER("Command") LIKE '%custom encrypt%'
      THEN 'Custom-cipher'
    ELSE 'SuspiciousExtension'
  END AS EncryptionType,
  CASE WHEN "EventID" = '1' THEN 'ScriptCustomCrypto' ELSE 'BulkEncryptedFiles' END AS DetectionBranch
FROM events
WHERE
  (
    LOGSOURCENAME(logsourceid) ILIKE '%sysmon%'
    OR LOGSOURCENAME(logsourceid) ILIKE '%microsoft windows%'
    OR CATEGORYNAME(category) ILIKE '%operating system%'
  )
  AND starttime > DATEADD(HOUR, -24, NOW())
  AND (
    (
      "EventID" = '1'
      AND (
        "Process Name" ILIKE '%\\powershell.exe'
        OR "Process Name" ILIKE '%\\pwsh.exe'
        OR "Process Name" ILIKE '%\\python.exe'
        OR "Process Name" ILIKE '%\\python3.exe'
        OR "Process Name" ILIKE '%\\wscript.exe'
        OR "Process Name" ILIKE '%\\cscript.exe'
        OR "Process Name" ILIKE '%\\cmd.exe'
      )
      AND (
        LOWER("Command") LIKE '%-bxor%'
        OR LOWER("Command") LIKE '%bitxor%'
        OR LOWER("Command") LIKE '%xorkey%'
        OR LOWER("Command") LIKE '%xor_key%'
        OR LOWER("Command") LIKE '%xorbytes%'
        OR LOWER("Command") LIKE '%xorencrypt%'
        OR LOWER("Command") LIKE '%0xaa%'
        OR LOWER("Command") LIKE '%0x23%'
        OR LOWER("Command") LIKE '%bxor 0x%'
        OR LOWER("Command") LIKE '%bytexor%'
        OR LOWER("Command") LIKE '%xorfile%'
        OR LOWER("Command") LIKE '%blowfish%'
        OR LOWER("Command") LIKE '% rc4 %'
        OR LOWER("Command") LIKE '%arcfour%'
        OR LOWER("Command") LIKE '%rot13%'
        OR LOWER("Command") LIKE '%rotl(%'
        OR LOWER("Command") LIKE '%rotr(%'
        OR LOWER("Command") LIKE '%xor cipher%'
        OR LOWER("Command") LIKE '%xor encrypt%'
        OR LOWER("Command") LIKE '%custom encrypt%'
        OR LOWER("Command") LIKE '%stream cipher%'
      )
    )
    OR (
      "EventID" = '11'
      AND (
        LOWER("Target Filename") LIKE '%.sft'
        OR LOWER("Target Filename") LIKE '%.enc'
        OR LOWER("Target Filename") LIKE '%.crypt'
        OR LOWER("Target Filename") LIKE '%.xor'
        OR LOWER("Target Filename") LIKE '%.locked'
        OR LOWER("Target Filename") LIKE '%.rms'
      )
      AND NOT (
        "Process Name" ILIKE '%7z.exe'
        OR "Process Name" ILIKE '%winrar.exe'
        OR "Process Name" ILIKE '%winzip.exe'
        OR "Process Name" ILIKE '%pkzip.exe'
        OR "Process Name" ILIKE '%zip.exe'
        OR "Process Name" ILIKE '%tar.exe'
        OR "Process Name" ILIKE '%gzip.exe'
        OR "Process Name" ILIKE '%bzip2.exe'
      )
      AND NOT (
        LOWER("Target Filename") LIKE '%\\windows\\%'
        OR LOWER("Target Filename") LIKE '%\\program files\\%'
      )
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

QRadar Sysmon DSM (Microsoft Windows Sysmon log source type) QRadar WinCollect agent forwarding Sysmon Operational channel Microsoft Windows Security Event Log DSM (for EventID 4688 fallback)

Required Tables

events

False Positives

Legitimate PowerShell automation that uses -bxor for permission bitmask calculations against Active Directory attributes or Windows ACL flags.
Authorized Python data pipelines or ETL jobs referencing 'rc4' or 'arcfour' in string literals, comments, or algorithm-selection variables even without executing crypto operations.
Endpoint security products or DLP agents writing encrypted staging files with .enc or .crypt extensions as part of their own quarantine or scanning workflows.
Developer workstations running unit tests for cryptographic libraries where the test command line references cipher names directly.
Custom backup scripts (e.g., Restic, Borg wrappers) producing non-standard extension output files outside standard archiver paths.

Sumo Logic CSE

sql

(_sourceCategory="*sysmon*" OR _sourceCategory="OS/Windows" OR _sourceCategory="windows/sysmon")
| parse regex "<EventID>(?<EventCode>\\d+)<\/EventID>" nodrop
| parse regex "Name='CommandLine'>(?<CommandLine>[^<]+)" nodrop
| parse regex "Name='Image'>(?<ProcessImage>[^<]+)" nodrop
| parse regex "Name='ParentCommandLine'>(?<ParentCommandLine>[^<]+)" nodrop
| parse regex "Name='TargetFilename'>(?<TargetFilename>[^<]+)" nodrop
| parse regex "Name='User'>(?<User>[^<]+)" nodrop
| parse regex "Name='ParentImage'>(?<ParentImage>[^<]+)" nodrop
| where EventCode = "1" OR EventCode = "11"
| eval CmdLow = toLowerCase(CommandLine)
| eval XORMatch = if (
    CmdLow matches "*-bxor*" OR CmdLow matches "*bitxor*" OR CmdLow matches "*xorkey*"
    OR CmdLow matches "*xor_key*" OR CmdLow matches "*xorbytes*" OR CmdLow matches "*xorencrypt*"
    OR CmdLow matches "*0xaa*" OR CmdLow matches "*0x23*" OR CmdLow matches "*bxor 0x*"
    OR CmdLow matches "*bytexor*" OR CmdLow matches "*xorfile*",
    1, 0
  )
| eval CryptoMatch = if (
    CmdLow matches "*blowfish*" OR CmdLow matches "* rc4 *" OR CmdLow matches "*arcfour*"
    OR CmdLow matches "*rot13*" OR CmdLow matches "*rotl(*" OR CmdLow matches "*rotr(*"
    OR CmdLow matches "*xor cipher*" OR CmdLow matches "*xor encrypt*"
    OR CmdLow matches "*custom encrypt*" OR CmdLow matches "*stream cipher*",
    1, 0
  )
| eval IsScriptBranch = if (
    EventCode = "1"
    AND (XORMatch = 1 OR CryptoMatch = 1)
    AND (
      ProcessImage matches "*\\powershell.exe" OR ProcessImage matches "*\\pwsh.exe"
      OR ProcessImage matches "*\\python.exe" OR ProcessImage matches "*\\python3.exe"
      OR ProcessImage matches "*\\wscript.exe" OR ProcessImage matches "*\\cscript.exe"
      OR ProcessImage matches "*\\cmd.exe"
    ),
    1, 0
  )
| eval IsFileBranch = if (
    EventCode = "11"
    AND (
      TargetFilename matches "*.sft" OR TargetFilename matches "*.enc"
      OR TargetFilename matches "*.crypt" OR TargetFilename matches "*.xor"
      OR TargetFilename matches "*.locked" OR TargetFilename matches "*.rms"
    )
    AND NOT (
      ProcessImage matches "*\\7z.exe" OR ProcessImage matches "*\\winrar.exe"
      OR ProcessImage matches "*\\winzip.exe" OR ProcessImage matches "*\\zip.exe"
      OR ProcessImage matches "*\\tar.exe" OR ProcessImage matches "*\\gzip.exe"
      OR ProcessImage matches "*\\bzip2.exe"
    )
    AND NOT (
      TargetFilename matches "*\\Windows\\*" OR TargetFilename matches "*\\Program Files\\*"
    ),
    1, 0
  )
| where IsScriptBranch = 1 OR IsFileBranch = 1
| eval DetectionBranch = if (IsScriptBranch = 1, "ScriptCustomCrypto", "BulkEncryptedFiles")
| eval EncryptionType = if (
    IsScriptBranch = 1,
    if (XORMatch = 1, "XOR-based", "Custom-cipher"),
    concat("SuspiciousExtension:", TargetFilename)
  )
| timeslice 5m
| count by _timeslice, host, User, ProcessImage, CommandLine, TargetFilename, ParentImage, DetectionBranch, EncryptionType
| where DetectionBranch = "ScriptCustomCrypto" OR (DetectionBranch = "BulkEncryptedFiles" AND _count >= 5)
| sort by _timeslice desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Microsoft-Windows-Sysmon/Operational channel) Sumo Logic Cloud-to-Cloud source for Microsoft Defender for Endpoint events (normalized) Sumo Logic CSE (Cloud SIEM Enterprise) with Windows normalized schema

Required Tables

Sumo Logic partition or index containing Sysmon Operational XML events (EventCode 1 and 11)

False Positives

IT automation scripts running PowerShell to manipulate permission flags or network packet bytes using -bxor, which is a standard PowerShell bitwise operator.
Data science or ML pipelines written in Python that import or reference RC4/arcfour by name for algorithm comparison benchmarks, even when not performing encryption.
Endpoint security or DLP products creating quarantine files with .enc or .crypt extensions, which would generate high-volume file creation events matching the bulk branch threshold.
Custom database backup scripts that stage encrypted exports using .enc extension before uploading to cloud storage; these may also run from non-standard process names.
Developers running unit tests or integration tests for cryptographic utility functions where test commands contain cipher names in arguments.

Google Chronicle / SecOps

yaral

// Rule 1: Scripting engines executing inline XOR or custom cipher operations
rule T1560_003_CustomCrypto_ScriptEngine {
  meta:
    author = "Detection Engineer"
    description = "T1560.003 - Detects scripting hosts (PowerShell, Python, WScript, CScript, CMD) whose command line contains XOR operator keywords, bitwise cipher identifiers, or named custom cipher strings associated with FIN6, StrongPity, CopyKittens, and related threat actors."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1560.003"
    mitre_attack_subtechnique = "T1560.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1560/003/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /(?i)(powershell|pwsh|python3?|wscript|cscript|cmd)\.exe$/
    (
      $e.target.process.command_line = /(?i)(-bxor|bitxor|xorkey|xor_key|xorbytes|xorencrypt|0x[Aa][Aa]|0x23|bxor\s+0x|bytexor|xorfile)/ or
      $e.target.process.command_line = /(?i)(blowfish|\brc4\b|arcfour|stream\s+cipher|substitution|rot13|rotl\(|rotr\(|custom\s+encrypt|xor\s+cipher|xor\s+encrypt)/
    )

  condition:
    $e
}

// Rule 2: Bulk creation of files with custom encrypted extensions by non-archiver processes
rule T1560_003_BulkEncryptedFileCreation {
  meta:
    author = "Detection Engineer"
    description = "T1560.003 - Detects bulk creation of files bearing custom encrypted output extensions (.sft, .enc, .crypt, .xor, .locked, .rms) by processes that are not known archive utilities, consistent with StrongPity .sft staging, BLUELIGHT XOR blob output, and similar custom-archive malware behavior."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1560.003"
    mitre_attack_subtechnique = "T1560.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1560/003/"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    $e.target.file.full_path = /(?i)\.(sft|enc|crypt|xor|locked|rms)$/
    not $e.principal.process.file.full_path = /(?i)(7z|winrar|winzip|pkzip|zip|tar|gzip|bzip2)\.exe$/
    not $e.target.file.full_path = /(?i)(\\Windows\\|\\Program Files\\)/

  match:
    $e.principal.hostname over 5m

  outcome:
    $file_count = count_distinct($e.target.file.full_path)
    $sample_files = array_distinct($e.target.file.full_path)
    $creating_process = array_distinct($e.principal.process.file.full_path)

  condition:
    #e >= 5
}

high severity medium confidence

Data Sources

Chronicle SIEM ingesting Windows Event Logs (Sysmon Operational channel via forwarder) Chronicle with Microsoft Defender for Endpoint telemetry (UDM normalized) Chronicle Google Cloud Chronicle universal forwarder parsing Windows XML events to UDM

Required Tables

UDM events store (PROCESS_LAUNCH event type) UDM events store (FILE_CREATION event type)

False Positives

Legitimate PowerShell scripts using -bxor for bitwise flag testing against Windows API constants (e.g., checking SE_PRIVILEGE_ENABLED) will match Rule 1; tune by excluding known-good parent processes or script paths.
Python data engineering scripts whose module names, variable names, or inline comments mention 'rc4' or 'blowfish' in string literals even without executing those algorithms.
Enterprise backup agents or encryption-at-rest solutions writing large numbers of .enc files during scheduled backup windows, which would trip the Rule 2 count threshold.
Security tooling such as OpenSSL wrappers or GPG scripts that produce .enc output as a standard naming convention for encrypted archive output.
Developer CI/CD pipelines running cryptographic test suites that create and delete multiple test output files with cipher-specific extensions within the detection window.

CrowdStrike LogScale (CQL)

cql

// Branch 1: Scripting engines with XOR or custom cipher keywords in command line
union(
  {
    #event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2)$/
    | regex("(?i)(powershell|pwsh|python3?|wscript|cscript|cmd)\\.exe$", field=ImageFileName)
    | regex("(?i)(-bxor|bitxor|xorkey|xor_key|xorbytes|xorencrypt|0x[Aa][Aa]|0x23|bxor\\s+0x|bytexor|xorfile|blowfish|\\brc4\\b|arcfour|stream\\s+cipher|substitution|rot13|rotl\\(|rotr\\(|custom\\s+encrypt|xor\\s+cipher|xor\\s+encrypt)", field=CommandLine)
    | EncryptionType := case {
        regex("(?i)(-bxor|bitxor|xorkey|xor_key|xorbytes|xorencrypt|0x[Aa][Aa]|0x23|bxor\\s+0x|bytexor|xorfile)", field=CommandLine) => "XOR-based" ;
        regex("(?i)(blowfish|\\brc4\\b|arcfour|rot13|rotl\\(|rotr\\(|custom\\s+encrypt|xor\\s+cipher|xor\\s+encrypt|stream\\s+cipher)", field=CommandLine) => "Custom-cipher" ;
        * => "Unknown"
      }
    | DetectionBranch := "ScriptCustomCrypto"
    | table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, EncryptionType, DetectionBranch])
  },
  {
    // Branch 2: Bulk creation of files with suspicious encrypted extensions
    #event_simpleName = "ClosedFileWritten"
    | regex("(?i)\\.(sft|enc|crypt|xor|locked|rms)$", field=TargetFileName)
    | not regex("(?i)(7z|winrar|winzip|pkzip|zip\\.exe|tar\\.exe|gzip|bzip2)\\.exe$", field=ImageFileName)
    | not regex("(?i)(\\\\Windows\\\\|\\\\Program\\s+Files\\\\)", field=TargetFileName)
    | groupBy(
        [ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName],
        function=[
          count(as=FileCount),
          collect(TargetFileName, limit=10, as=SampleFiles),
          min(timestamp, as=FirstSeen),
          max(timestamp, as=LastSeen)
        ],
        limit=max
      )
    | where FileCount >= 5
    | DetectionBranch := "BulkEncryptedFiles"
    | EncryptionType := format("BulkCustomExtension:%d files", [FileCount])
    | table([FirstSeen, LastSeen, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, FileCount, SampleFiles, DetectionBranch, EncryptionType])
  }
)
| sort(timestamp, order=desc, limit=200)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 process telemetry) CrowdStrike Falcon Sensor with enhanced file write telemetry (ClosedFileWritten events, requires File Write monitoring policy enabled) CrowdStrike Falcon Data Replicator (FDR) streaming to LogScale

Required Tables

ProcessRollup2 SyntheticProcessRollup2 ClosedFileWritten

False Positives

Legitimate PowerShell scripts that use -bxor for network-flag or ACL-flag manipulation (e.g., testing SE_PRIVILEGE_ENABLED bit in token privilege structs), which share the same operator token as malicious XOR-based encryption.
Python automation scripts that import RC4 or Blowfish by name for algorithm selection benchmarks or compatibility-layer testing even when the cipher is not invoked for data transformation.
Enterprise endpoint encryption or DLP solutions writing protected file copies with .enc extensions in bulk during scheduled scans or quarantine operations, triggering the file-count threshold.
Custom build pipelines or release automation tools that compile and package multiple output artifacts with non-standard extensions into staging directories not under Windows or Program Files.
Forensic or incident-response tooling (e.g., Velociraptor, KAPE output stages) writing encrypted evidence containers with custom extensions during artifact collection from an authorized investigation.

Last updated: 2026-04-14 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1560.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Archive via Custom Method

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections