T1560.003 CrowdStrike LogScale · LogScale

Detect Archive via Custom Method in CrowdStrike LogScale

An adversary may compress or encrypt data collected prior to exfiltration using a custom method rather than standard archive utilities. Custom implementations include XOR loops with static keys, stream ciphers (RC4, ChaCha20), block ciphers (Blowfish), byte rotation schemes, and substitution ciphers — all implemented inline in malware code or scripts without referencing external libraries or system utilities. This technique allows adversaries to transform staged data in a way that evades detection rules targeting standard archivers (7-Zip, WinRAR, zip) while also obfuscating data contents during staging and exfiltration. Threat actors employing this technique include FIN6 (single-byte XOR with key 0xAA, plus Base64 with character permutation), CopyKittens (substitution cipher), and malware families including Attor (custom Blowfish+RSA), BLUELIGHT (XOR binary blob), StrongPity (repeated XOR producing .sft archive parts), Duqu (zlib+XOR), RGDoor (XOR before C2 transmission), RawPOS (XOR-encoded POS card data), and FoggyWeb (dynamic XOR key with WebP steganography).

MITRE ATT&CK

Tactic
Collection
Technique
T1560 Archive Collected Data
Sub-technique
T1560.003 Archive via Custom Method
Canonical reference
https://attack.mitre.org/techniques/T1560/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Branch 1: Scripting engines with XOR or custom cipher keywords in command line
union(
  {
    #event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2)$/
    | regex("(?i)(powershell|pwsh|python3?|wscript|cscript|cmd)\\.exe$", field=ImageFileName)
    | regex("(?i)(-bxor|bitxor|xorkey|xor_key|xorbytes|xorencrypt|0x[Aa][Aa]|0x23|bxor\\s+0x|bytexor|xorfile|blowfish|\\brc4\\b|arcfour|stream\\s+cipher|substitution|rot13|rotl\\(|rotr\\(|custom\\s+encrypt|xor\\s+cipher|xor\\s+encrypt)", field=CommandLine)
    | EncryptionType := case {
        regex("(?i)(-bxor|bitxor|xorkey|xor_key|xorbytes|xorencrypt|0x[Aa][Aa]|0x23|bxor\\s+0x|bytexor|xorfile)", field=CommandLine) => "XOR-based" ;
        regex("(?i)(blowfish|\\brc4\\b|arcfour|rot13|rotl\\(|rotr\\(|custom\\s+encrypt|xor\\s+cipher|xor\\s+encrypt|stream\\s+cipher)", field=CommandLine) => "Custom-cipher" ;
        * => "Unknown"
      }
    | DetectionBranch := "ScriptCustomCrypto"
    | table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, EncryptionType, DetectionBranch])
  },
  {
    // Branch 2: Bulk creation of files with suspicious encrypted extensions
    #event_simpleName = "ClosedFileWritten"
    | regex("(?i)\\.(sft|enc|crypt|xor|locked|rms)$", field=TargetFileName)
    | not regex("(?i)(7z|winrar|winzip|pkzip|zip\\.exe|tar\\.exe|gzip|bzip2)\\.exe$", field=ImageFileName)
    | not regex("(?i)(\\\\Windows\\\\|\\\\Program\\s+Files\\\\)", field=TargetFileName)
    | groupBy(
        [ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName],
        function=[
          count(as=FileCount),
          collect(TargetFileName, limit=10, as=SampleFiles),
          min(timestamp, as=FirstSeen),
          max(timestamp, as=LastSeen)
        ],
        limit=max
      )
    | where FileCount >= 5
    | DetectionBranch := "BulkEncryptedFiles"
    | EncryptionType := format("BulkCustomExtension:%d files", [FileCount])
    | table([FirstSeen, LastSeen, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, FileCount, SampleFiles, DetectionBranch, EncryptionType])
  }
)
| sort(timestamp, order=desc, limit=200)
high severity medium confidence

CrowdStrike Falcon LogScale (Humio) query for T1560.003 Archive via Custom Method using a union of two detection branches. Branch 1 queries ProcessRollup2 and SyntheticProcessRollup2 events for scripting host processes (powershell, pwsh, python, wscript, cscript, cmd) whose CommandLine matches XOR-operator tokens or named cipher identifiers, classifying each match as XOR-based or Custom-cipher. Branch 2 queries ClosedFileWritten events for files with adversarial archive extensions (.sft, .enc, .crypt, .xor, .locked, .rms), groups by host/process within the query window, and fires when 5+ such files are written by a non-archiver process outside system directories. The union merges both streams into a single sorted result. Requires Falcon sensor at Reduced Functionality Mode (RFM) off with file write telemetry enabled for Branch 2.

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 process telemetry)CrowdStrike Falcon Sensor with enhanced file write telemetry (ClosedFileWritten events, requires File Write monitoring policy enabled)CrowdStrike Falcon Data Replicator (FDR) streaming to LogScale

Required Tables

ProcessRollup2SyntheticProcessRollup2ClosedFileWritten

False Positives & Tuning

  • Legitimate PowerShell scripts that use -bxor for network-flag or ACL-flag manipulation (e.g., testing SE_PRIVILEGE_ENABLED bit in token privilege structs), which share the same operator token as malicious XOR-based encryption.
  • Python automation scripts that import RC4 or Blowfish by name for algorithm selection benchmarks or compatibility-layer testing even when the cipher is not invoked for data transformation.
  • Enterprise endpoint encryption or DLP solutions writing protected file copies with .enc extensions in bulk during scheduled scans or quarantine operations, triggering the file-count threshold.
  • Custom build pipelines or release automation tools that compile and package multiple output artifacts with non-standard extensions into staging directories not under Windows or Program Files.
  • Forensic or incident-response tooling (e.g., Velociraptor, KAPE output stages) writing encrypted evidence containers with custom extensions during artifact collection from an authorized investigation.
Download portable Sigma rule (.yml)

Other platforms for T1560.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Single-Byte XOR Encryption of Staged Files (FIN6-style)

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0xAA', 'ReadAllBytes', and 'WriteAllBytes'. Sysmon Event ID 11: 3 FileCreate events for .enc files in %TEMP%\xor_out. PowerShell ScriptBlock Log Event ID 4104 capturing full encryption loop with key constant 0xAA. DeviceFileEvents: FileCreated events for each .enc output file with InitiatingProcessFileName=powershell.exe.

  2. Test 2Python Custom RC4 Stream Cipher Encryption (Rising Sun-style)

    Expected signal: Sysmon Event ID 1: python3.exe Process Create with CommandLine containing 'rc4_encrypt', 'xorkey', and 'base64' keywords. Sysmon Event ID 11: 2 FileCreate events for .crypt files in %TEMP%\rc4_out. DeviceProcessEvents: python3.exe with ProcessCommandLine matching rc4 and xorkey patterns.

  3. Test 3PowerShell Byte Rotation with XOR (SPACESHIP/APT30-style)

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0x23', '-shl', '-shr', '-band'. Sysmon Event ID 11: FileCreate event for spaceship_test.xor in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 with full rotation and XOR implementation including the 0x23 constant.

  4. Test 4Bulk .sft File Creation (StrongPity-style Custom Archive Output)

    Expected signal: Sysmon Event ID 11: 8 FileCreate events for archive_part1.sft through archive_part8.sft all within seconds, from powershell.exe in %TEMP%\sft_staging. DeviceFileEvents: 8 FileCreated entries with .sft extension, InitiatingProcessFileName=powershell.exe. No encryption keywords appear in the command line — this test validates that the file-creation branch catches compiled implant output patterns.

Last updated: 2026-04-14 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1560.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1560Archive Collected Data

Related Sub-techniques

T1560.001Archive via UtilityT1560.002Archive via Library

Related Techniques

T1560Archive Collected DataT1560.001Archive via UtilityT1560.002Archive via LibraryT1074.001Local Data StagingT1005Data from Local SystemT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1027Obfuscated Files or InformationT1027.013Encrypted/Encoded FileT1132.001Standard Encoding

Same Tactic: Collection

Popular Detections