T1560.003 Google Chronicle · YARA-L

Detect Archive via Custom Method in Google Chronicle

An adversary may compress or encrypt data collected prior to exfiltration using a custom method rather than standard archive utilities. Custom implementations include XOR loops with static keys, stream ciphers (RC4, ChaCha20), block ciphers (Blowfish), byte rotation schemes, and substitution ciphers — all implemented inline in malware code or scripts without referencing external libraries or system utilities. This technique allows adversaries to transform staged data in a way that evades detection rules targeting standard archivers (7-Zip, WinRAR, zip) while also obfuscating data contents during staging and exfiltration. Threat actors employing this technique include FIN6 (single-byte XOR with key 0xAA, plus Base64 with character permutation), CopyKittens (substitution cipher), and malware families including Attor (custom Blowfish+RSA), BLUELIGHT (XOR binary blob), StrongPity (repeated XOR producing .sft archive parts), Duqu (zlib+XOR), RGDoor (XOR before C2 transmission), RawPOS (XOR-encoded POS card data), and FoggyWeb (dynamic XOR key with WebP steganography).

MITRE ATT&CK

Tactic
Collection
Technique
T1560 Archive Collected Data
Sub-technique
T1560.003 Archive via Custom Method
Canonical reference
https://attack.mitre.org/techniques/T1560/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
// Rule 1: Scripting engines executing inline XOR or custom cipher operations
rule T1560_003_CustomCrypto_ScriptEngine {
  meta:
    author = "Detection Engineer"
    description = "T1560.003 - Detects scripting hosts (PowerShell, Python, WScript, CScript, CMD) whose command line contains XOR operator keywords, bitwise cipher identifiers, or named custom cipher strings associated with FIN6, StrongPity, CopyKittens, and related threat actors."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1560.003"
    mitre_attack_subtechnique = "T1560.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1560/003/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /(?i)(powershell|pwsh|python3?|wscript|cscript|cmd)\.exe$/
    (
      $e.target.process.command_line = /(?i)(-bxor|bitxor|xorkey|xor_key|xorbytes|xorencrypt|0x[Aa][Aa]|0x23|bxor\s+0x|bytexor|xorfile)/ or
      $e.target.process.command_line = /(?i)(blowfish|\brc4\b|arcfour|stream\s+cipher|substitution|rot13|rotl\(|rotr\(|custom\s+encrypt|xor\s+cipher|xor\s+encrypt)/
    )

  condition:
    $e
}

// Rule 2: Bulk creation of files with custom encrypted extensions by non-archiver processes
rule T1560_003_BulkEncryptedFileCreation {
  meta:
    author = "Detection Engineer"
    description = "T1560.003 - Detects bulk creation of files bearing custom encrypted output extensions (.sft, .enc, .crypt, .xor, .locked, .rms) by processes that are not known archive utilities, consistent with StrongPity .sft staging, BLUELIGHT XOR blob output, and similar custom-archive malware behavior."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1560.003"
    mitre_attack_subtechnique = "T1560.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1560/003/"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    $e.target.file.full_path = /(?i)\.(sft|enc|crypt|xor|locked|rms)$/
    not $e.principal.process.file.full_path = /(?i)(7z|winrar|winzip|pkzip|zip|tar|gzip|bzip2)\.exe$/
    not $e.target.file.full_path = /(?i)(\\Windows\\|\\Program Files\\)/

  match:
    $e.principal.hostname over 5m

  outcome:
    $file_count = count_distinct($e.target.file.full_path)
    $sample_files = array_distinct($e.target.file.full_path)
    $creating_process = array_distinct($e.principal.process.file.full_path)

  condition:
    #e >= 5
}
high severity medium confidence

Two Chronicle YARA-L 2.0 rules for T1560.003. Rule 1 (ScriptEngine) matches PROCESS_LAUNCH UDM events where the creating process is a scripting host and the command line contains XOR operator tokens or named custom cipher strings. Rule 2 (BulkEncryptedFileCreation) matches FILE_CREATION UDM events for suspicious output extensions, requiring 5 or more such creations within a 5-minute window from the same host, from a non-archiver process, and outside system paths. The match/outcome/condition block in Rule 2 enables the threshold-based aggregation native to YARA-L 2.0 multi-event rules.

Data Sources

Chronicle SIEM ingesting Windows Event Logs (Sysmon Operational channel via forwarder)Chronicle with Microsoft Defender for Endpoint telemetry (UDM normalized)Chronicle Google Cloud Chronicle universal forwarder parsing Windows XML events to UDM

Required Tables

UDM events store (PROCESS_LAUNCH event type)UDM events store (FILE_CREATION event type)

False Positives & Tuning

  • Legitimate PowerShell scripts using -bxor for bitwise flag testing against Windows API constants (e.g., checking SE_PRIVILEGE_ENABLED) will match Rule 1; tune by excluding known-good parent processes or script paths.
  • Python data engineering scripts whose module names, variable names, or inline comments mention 'rc4' or 'blowfish' in string literals even without executing those algorithms.
  • Enterprise backup agents or encryption-at-rest solutions writing large numbers of .enc files during scheduled backup windows, which would trip the Rule 2 count threshold.
  • Security tooling such as OpenSSL wrappers or GPG scripts that produce .enc output as a standard naming convention for encrypted archive output.
  • Developer CI/CD pipelines running cryptographic test suites that create and delete multiple test output files with cipher-specific extensions within the detection window.
Download portable Sigma rule (.yml)

Other platforms for T1560.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Single-Byte XOR Encryption of Staged Files (FIN6-style)

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0xAA', 'ReadAllBytes', and 'WriteAllBytes'. Sysmon Event ID 11: 3 FileCreate events for .enc files in %TEMP%\xor_out. PowerShell ScriptBlock Log Event ID 4104 capturing full encryption loop with key constant 0xAA. DeviceFileEvents: FileCreated events for each .enc output file with InitiatingProcessFileName=powershell.exe.

  2. Test 2Python Custom RC4 Stream Cipher Encryption (Rising Sun-style)

    Expected signal: Sysmon Event ID 1: python3.exe Process Create with CommandLine containing 'rc4_encrypt', 'xorkey', and 'base64' keywords. Sysmon Event ID 11: 2 FileCreate events for .crypt files in %TEMP%\rc4_out. DeviceProcessEvents: python3.exe with ProcessCommandLine matching rc4 and xorkey patterns.

  3. Test 3PowerShell Byte Rotation with XOR (SPACESHIP/APT30-style)

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0x23', '-shl', '-shr', '-band'. Sysmon Event ID 11: FileCreate event for spaceship_test.xor in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 with full rotation and XOR implementation including the 0x23 constant.

  4. Test 4Bulk .sft File Creation (StrongPity-style Custom Archive Output)

    Expected signal: Sysmon Event ID 11: 8 FileCreate events for archive_part1.sft through archive_part8.sft all within seconds, from powershell.exe in %TEMP%\sft_staging. DeviceFileEvents: 8 FileCreated entries with .sft extension, InitiatingProcessFileName=powershell.exe. No encryption keywords appear in the command line — this test validates that the file-creation branch catches compiled implant output patterns.

Last updated: 2026-04-14 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1560.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1560Archive Collected Data

Related Sub-techniques

T1560.001Archive via UtilityT1560.002Archive via Library

Related Techniques

T1560Archive Collected DataT1560.001Archive via UtilityT1560.002Archive via LibraryT1074.001Local Data StagingT1005Data from Local SystemT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1027Obfuscated Files or InformationT1027.013Encrypted/Encoded FileT1132.001Standard Encoding

Same Tactic: Collection

Popular Detections