T1560.003 IBM QRadar · QRadar

Detect Archive via Custom Method in IBM QRadar

An adversary may compress or encrypt data collected prior to exfiltration using a custom method rather than standard archive utilities. Custom implementations include XOR loops with static keys, stream ciphers (RC4, ChaCha20), block ciphers (Blowfish), byte rotation schemes, and substitution ciphers — all implemented inline in malware code or scripts without referencing external libraries or system utilities. This technique allows adversaries to transform staged data in a way that evades detection rules targeting standard archivers (7-Zip, WinRAR, zip) while also obfuscating data contents during staging and exfiltration. Threat actors employing this technique include FIN6 (single-byte XOR with key 0xAA, plus Base64 with character permutation), CopyKittens (substitution cipher), and malware families including Attor (custom Blowfish+RSA), BLUELIGHT (XOR binary blob), StrongPity (repeated XOR producing .sft archive parts), Duqu (zlib+XOR), RGDoor (XOR before C2 transmission), RawPOS (XOR-encoded POS card data), and FoggyWeb (dynamic XOR key with WebP steganography).

MITRE ATT&CK

Tactic
Collection
Technique
T1560 Archive Collected Data
Sub-technique
T1560.003 Archive via Custom Method
Canonical reference
https://attack.mitre.org/techniques/T1560/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceHost,
  username AS AccountName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  CASE
    WHEN LOWER("Command") LIKE '%-bxor%'
      OR LOWER("Command") LIKE '%bitxor%'
      OR LOWER("Command") LIKE '%xorkey%'
      OR LOWER("Command") LIKE '%xor_key%'
      OR LOWER("Command") LIKE '%xorbytes%'
      OR LOWER("Command") LIKE '%xorencrypt%'
      OR LOWER("Command") LIKE '%0xaa%'
      OR LOWER("Command") LIKE '%0x23%'
      OR LOWER("Command") LIKE '%bytexor%'
      OR LOWER("Command") LIKE '%xorfile%'
      THEN 'XOR-based'
    WHEN LOWER("Command") LIKE '%blowfish%'
      OR LOWER("Command") LIKE '% rc4 %'
      OR LOWER("Command") LIKE '%arcfour%'
      OR LOWER("Command") LIKE '%rot13%'
      OR LOWER("Command") LIKE '%xor cipher%'
      OR LOWER("Command") LIKE '%xor encrypt%'
      OR LOWER("Command") LIKE '%custom encrypt%'
      THEN 'Custom-cipher'
    ELSE 'SuspiciousExtension'
  END AS EncryptionType,
  CASE WHEN "EventID" = '1' THEN 'ScriptCustomCrypto' ELSE 'BulkEncryptedFiles' END AS DetectionBranch
FROM events
WHERE
  (
    LOGSOURCENAME(logsourceid) ILIKE '%sysmon%'
    OR LOGSOURCENAME(logsourceid) ILIKE '%microsoft windows%'
    OR CATEGORYNAME(category) ILIKE '%operating system%'
  )
  AND starttime > DATEADD(HOUR, -24, NOW())
  AND (
    (
      "EventID" = '1'
      AND (
        "Process Name" ILIKE '%\\powershell.exe'
        OR "Process Name" ILIKE '%\\pwsh.exe'
        OR "Process Name" ILIKE '%\\python.exe'
        OR "Process Name" ILIKE '%\\python3.exe'
        OR "Process Name" ILIKE '%\\wscript.exe'
        OR "Process Name" ILIKE '%\\cscript.exe'
        OR "Process Name" ILIKE '%\\cmd.exe'
      )
      AND (
        LOWER("Command") LIKE '%-bxor%'
        OR LOWER("Command") LIKE '%bitxor%'
        OR LOWER("Command") LIKE '%xorkey%'
        OR LOWER("Command") LIKE '%xor_key%'
        OR LOWER("Command") LIKE '%xorbytes%'
        OR LOWER("Command") LIKE '%xorencrypt%'
        OR LOWER("Command") LIKE '%0xaa%'
        OR LOWER("Command") LIKE '%0x23%'
        OR LOWER("Command") LIKE '%bxor 0x%'
        OR LOWER("Command") LIKE '%bytexor%'
        OR LOWER("Command") LIKE '%xorfile%'
        OR LOWER("Command") LIKE '%blowfish%'
        OR LOWER("Command") LIKE '% rc4 %'
        OR LOWER("Command") LIKE '%arcfour%'
        OR LOWER("Command") LIKE '%rot13%'
        OR LOWER("Command") LIKE '%rotl(%'
        OR LOWER("Command") LIKE '%rotr(%'
        OR LOWER("Command") LIKE '%xor cipher%'
        OR LOWER("Command") LIKE '%xor encrypt%'
        OR LOWER("Command") LIKE '%custom encrypt%'
        OR LOWER("Command") LIKE '%stream cipher%'
      )
    )
    OR (
      "EventID" = '11'
      AND (
        LOWER("Target Filename") LIKE '%.sft'
        OR LOWER("Target Filename") LIKE '%.enc'
        OR LOWER("Target Filename") LIKE '%.crypt'
        OR LOWER("Target Filename") LIKE '%.xor'
        OR LOWER("Target Filename") LIKE '%.locked'
        OR LOWER("Target Filename") LIKE '%.rms'
      )
      AND NOT (
        "Process Name" ILIKE '%7z.exe'
        OR "Process Name" ILIKE '%winrar.exe'
        OR "Process Name" ILIKE '%winzip.exe'
        OR "Process Name" ILIKE '%pkzip.exe'
        OR "Process Name" ILIKE '%zip.exe'
        OR "Process Name" ILIKE '%tar.exe'
        OR "Process Name" ILIKE '%gzip.exe'
        OR "Process Name" ILIKE '%bzip2.exe'
      )
      AND NOT (
        LOWER("Target Filename") LIKE '%\\windows\\%'
        OR LOWER("Target Filename") LIKE '%\\program files\\%'
      )
    )
  )
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL rule detecting T1560.003 Archive via Custom Method. Branch 1 (ScriptCustomCrypto) matches Sysmon EventID 1 (Process Create) for scripting host binaries whose command line contains XOR-operator keywords (-bxor, BitXor, 0xAA, ByteXor), named cipher identifiers (Blowfish, RC4, arcfour, ROT13), or cipher phrases (xor cipher, xor encrypt, custom encrypt). Branch 2 (BulkEncryptedFiles) matches Sysmon EventID 11 (File Create) for files written with adversarial archive extensions (.sft, .enc, .crypt, .xor, .locked, .rms) by non-archiver processes outside Windows system paths. Field names ("Process Name", "Command", "Target Filename") reflect standard QRadar Sysmon DSM mappings; adjust to your environment's custom properties if remapped.

Data Sources

QRadar Sysmon DSM (Microsoft Windows Sysmon log source type)QRadar WinCollect agent forwarding Sysmon Operational channelMicrosoft Windows Security Event Log DSM (for EventID 4688 fallback)

Required Tables

events

False Positives & Tuning

  • Legitimate PowerShell automation that uses -bxor for permission bitmask calculations against Active Directory attributes or Windows ACL flags.
  • Authorized Python data pipelines or ETL jobs referencing 'rc4' or 'arcfour' in string literals, comments, or algorithm-selection variables even without executing crypto operations.
  • Endpoint security products or DLP agents writing encrypted staging files with .enc or .crypt extensions as part of their own quarantine or scanning workflows.
  • Developer workstations running unit tests for cryptographic libraries where the test command line references cipher names directly.
  • Custom backup scripts (e.g., Restic, Borg wrappers) producing non-standard extension output files outside standard archiver paths.
Download portable Sigma rule (.yml)

Other platforms for T1560.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Single-Byte XOR Encryption of Staged Files (FIN6-style)

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0xAA', 'ReadAllBytes', and 'WriteAllBytes'. Sysmon Event ID 11: 3 FileCreate events for .enc files in %TEMP%\xor_out. PowerShell ScriptBlock Log Event ID 4104 capturing full encryption loop with key constant 0xAA. DeviceFileEvents: FileCreated events for each .enc output file with InitiatingProcessFileName=powershell.exe.

  2. Test 2Python Custom RC4 Stream Cipher Encryption (Rising Sun-style)

    Expected signal: Sysmon Event ID 1: python3.exe Process Create with CommandLine containing 'rc4_encrypt', 'xorkey', and 'base64' keywords. Sysmon Event ID 11: 2 FileCreate events for .crypt files in %TEMP%\rc4_out. DeviceProcessEvents: python3.exe with ProcessCommandLine matching rc4 and xorkey patterns.

  3. Test 3PowerShell Byte Rotation with XOR (SPACESHIP/APT30-style)

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0x23', '-shl', '-shr', '-band'. Sysmon Event ID 11: FileCreate event for spaceship_test.xor in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 with full rotation and XOR implementation including the 0x23 constant.

  4. Test 4Bulk .sft File Creation (StrongPity-style Custom Archive Output)

    Expected signal: Sysmon Event ID 11: 8 FileCreate events for archive_part1.sft through archive_part8.sft all within seconds, from powershell.exe in %TEMP%\sft_staging. DeviceFileEvents: 8 FileCreated entries with .sft extension, InitiatingProcessFileName=powershell.exe. No encryption keywords appear in the command line — this test validates that the file-creation branch catches compiled implant output patterns.

Last updated: 2026-04-14 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1560.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1560Archive Collected Data

Related Sub-techniques

T1560.001Archive via UtilityT1560.002Archive via Library

Related Techniques

T1560Archive Collected DataT1560.001Archive via UtilityT1560.002Archive via LibraryT1074.001Local Data StagingT1005Data from Local SystemT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1027Obfuscated Files or InformationT1027.013Encrypted/Encoded FileT1132.001Standard Encoding

Same Tactic: Collection

Popular Detections