Detect Archive via Custom Method in Elastic Security
An adversary may compress or encrypt data collected prior to exfiltration using a custom method rather than standard archive utilities. Custom implementations include XOR loops with static keys, stream ciphers (RC4, ChaCha20), block ciphers (Blowfish), byte rotation schemes, and substitution ciphers — all implemented inline in malware code or scripts without referencing external libraries or system utilities. This technique allows adversaries to transform staged data in a way that evades detection rules targeting standard archivers (7-Zip, WinRAR, zip) while also obfuscating data contents during staging and exfiltration. Threat actors employing this technique include FIN6 (single-byte XOR with key 0xAA, plus Base64 with character permutation), CopyKittens (substitution cipher), and malware families including Attor (custom Blowfish+RSA), BLUELIGHT (XOR binary blob), StrongPity (repeated XOR producing .sft archive parts), Duqu (zlib+XOR), RGDoor (XOR before C2 transmission), RawPOS (XOR-encoded POS card data), and FoggyWeb (dynamic XOR key with WebP steganography).
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1560 Archive Collected Data
- Sub-technique
- T1560.003 Archive via Custom Method
- Canonical reference
- https://attack.mitre.org/techniques/T1560/003/
Elastic Detection Query
any where
(
event.category == "process" and event.type == "start" and
process.name in~ ("powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe", "cmd.exe") and
(
process.command_line : ("*-bxor*", "*BitXor*", "*xorkey*", "*xor_key*", "*xorBytes*", "*XorEncrypt*", "*0xAA*", "*0x23*", "*bxor 0x*", "*ByteXor*", "*XorFile*") or
process.command_line : ("*blowfish*", "* rc4 *", "*arcfour*", "*stream cipher*", "*substitution*", "*rot13*", "*rotl(*", "*rotr(*", "*custom encrypt*", "*xor cipher*", "*xor encrypt*")
)
) or
(
event.category == "file" and event.type == "creation" and
file.extension in~ ("sft", "enc", "crypt", "xor", "locked", "rms") and
not process.name in~ ("7z.exe", "winrar.exe", "winzip.exe", "pkzip.exe", "zip.exe", "tar.exe", "gzip.exe", "bzip2.exe") and
not file.path : ("*\\Windows\\*", "*\\Program Files\\*")
)Detects T1560.003 Archive via Custom Method across two branches: (1) scripting engines (PowerShell, Python, WScript, CScript, CMD) executing inline XOR loops or named custom cipher routines (-bxor, BitXor, RC4, Blowfish, ROT13, etc.) in their command line; (2) bulk creation (5+ files) of non-standard encrypted output extensions (.sft, .enc, .crypt, .xor, .locked, .rms) by processes that are not known archiver utilities. Covers threat actor patterns from FIN6 (0xAA XOR + Base64), StrongPity (.sft archive parts), RawPOS (XOR card data), and CopyKittens (substitution cipher).
Data Sources
Required Tables
False Positives & Tuning
- PowerShell administration scripts performing bitwise XOR for legitimate data masking, checksum calculations, or flag manipulation (e.g., AD attribute bitmask checks using -bxor).
- Python-based data engineering or ETL pipelines that implement RC4, Blowfish, or XOR for backward-compatible format handling with legacy systems.
- Authorized red team or penetration testing tooling invoking custom crypto primitives on systems where an engagement is in progress; cross-reference with change-management records.
- Backup or archival agents (Veeam, Acronis custom scripts) that write intermediate encrypted chunks with non-standard extensions before repackaging.
- Security research or CTF training environments where XOR encoding is intentionally exercised for educational purposes.
Other platforms for T1560.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Single-Byte XOR Encryption of Staged Files (FIN6-style)
Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0xAA', 'ReadAllBytes', and 'WriteAllBytes'. Sysmon Event ID 11: 3 FileCreate events for .enc files in %TEMP%\xor_out. PowerShell ScriptBlock Log Event ID 4104 capturing full encryption loop with key constant 0xAA. DeviceFileEvents: FileCreated events for each .enc output file with InitiatingProcessFileName=powershell.exe.
- Test 2Python Custom RC4 Stream Cipher Encryption (Rising Sun-style)
Expected signal: Sysmon Event ID 1: python3.exe Process Create with CommandLine containing 'rc4_encrypt', 'xorkey', and 'base64' keywords. Sysmon Event ID 11: 2 FileCreate events for .crypt files in %TEMP%\rc4_out. DeviceProcessEvents: python3.exe with ProcessCommandLine matching rc4 and xorkey patterns.
- Test 3PowerShell Byte Rotation with XOR (SPACESHIP/APT30-style)
Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0x23', '-shl', '-shr', '-band'. Sysmon Event ID 11: FileCreate event for spaceship_test.xor in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 with full rotation and XOR implementation including the 0x23 constant.
- Test 4Bulk .sft File Creation (StrongPity-style Custom Archive Output)
Expected signal: Sysmon Event ID 11: 8 FileCreate events for archive_part1.sft through archive_part8.sft all within seconds, from powershell.exe in %TEMP%\sft_staging. DeviceFileEvents: 8 FileCreated entries with .sft extension, InitiatingProcessFileName=powershell.exe. No encryption keywords appear in the command line — this test validates that the file-creation branch catches compiled implant output patterns.
References (11)
- https://attack.mitre.org/techniques/T1560/003/
- http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
- https://www.welivesecurity.com/2019/10/10/eset-discovery-attor-spy-platform/
- https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/
- https://www.fireeye.com/blog/threat-research/2016/04/follow_the_money_dissecting_the_operations_of_the_cyber_crime_group_fin6.html
- https://documents.trendmicro.com/assets/white_papers/wp-follow-the-money-dissecting-the-operations-of-the-cyber-crime-group-fin6.pdf
- https://www.microsoft.com/en-us/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.003/T1560.003.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.sentinelone.com/labs/metador-a-look-at-a-long-running-espionage-actor/
Unlock Pro Content
Get the full detection package for T1560.003 including response playbook, investigation guide, and atomic red team tests.