T1560.003 Microsoft Sentinel · KQL

Detect Archive via Custom Method in Microsoft Sentinel

An adversary may compress or encrypt data collected prior to exfiltration using a custom method rather than standard archive utilities. Custom implementations include XOR loops with static keys, stream ciphers (RC4, ChaCha20), block ciphers (Blowfish), byte rotation schemes, and substitution ciphers — all implemented inline in malware code or scripts without referencing external libraries or system utilities. This technique allows adversaries to transform staged data in a way that evades detection rules targeting standard archivers (7-Zip, WinRAR, zip) while also obfuscating data contents during staging and exfiltration. Threat actors employing this technique include FIN6 (single-byte XOR with key 0xAA, plus Base64 with character permutation), CopyKittens (substitution cipher), and malware families including Attor (custom Blowfish+RSA), BLUELIGHT (XOR binary blob), StrongPity (repeated XOR producing .sft archive parts), Duqu (zlib+XOR), RGDoor (XOR before C2 transmission), RawPOS (XOR-encoded POS card data), and FoggyWeb (dynamic XOR key with WebP steganography).

MITRE ATT&CK

Tactic
Collection
Technique
T1560 Archive Collected Data
Sub-technique
T1560.003 Archive via Custom Method
Canonical reference
https://attack.mitre.org/techniques/T1560/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let XORKeywords = dynamic([
  "-bxor", "BitXor", "xorkey", "xor_key", "xorBytes", "XorEncrypt",
  "0xAA", "0x23", "bxor 0x", "xor 0x",
  "[byte[]] $key", "ByteXor", "XorFile"
]);
let CustomCryptoKeywords = dynamic([
  "blowfish", " rc4 ", "arcfour", "stream cipher",
  "substitution", "rot13", "rotl(", "rotr(",
  "custom encrypt", "xor cipher", "xor encrypt"
]);
let SuspiciousOutputExtensions = dynamic([
  ".sft", ".enc", ".crypt", ".xor", ".locked", ".rms"
]);
let KnownArchivers = dynamic([
  "7z.exe", "winrar.exe", "winzip.exe", "pkzip.exe",
  "zip.exe", "tar.exe", "gzip.exe", "bzip2.exe"
]);
// Branch 1: Scripting engines with XOR or custom crypto keywords in command line
let ScriptBasedCustomCrypto =
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName in~ ("powershell.exe", "pwsh.exe", "python.exe", "python3.exe",
                        "wscript.exe", "cscript.exe", "cmd.exe")
  | where ProcessCommandLine has_any (XORKeywords)
      or ProcessCommandLine has_any (CustomCryptoKeywords)
  | extend EncryptionType = case(
      ProcessCommandLine has_any (XORKeywords), "XOR-based",
      ProcessCommandLine has_any (CustomCryptoKeywords), "Custom-cipher",
      "Unknown"
    )
  | project Timestamp, DeviceName, AccountName,
           ProcessName = FileName,
           ProcessCommandLine,
           ParentProcess = InitiatingProcessFileName,
           ParentCommandLine = InitiatingProcessCommandLine,
           EncryptionType,
           DetectionBranch = "ScriptCustomCrypto";
// Branch 2: High-volume creation of files with custom encrypted extensions by non-standard processes
let BulkCustomExtensionCreation =
  DeviceFileEvents
  | where Timestamp > ago(24h)
  | where ActionType == "FileCreated"
  | where FileName has_any (SuspiciousOutputExtensions)
  | where not(InitiatingProcessFileName has_any (KnownArchivers))
  | where FolderPath !has ":\\Windows" and FolderPath !has ":\\Program Files"
  | summarize
      FileCount = count(),
      SampleFiles = make_set(FileName, 10),
      Folders = make_set(FolderPath, 3)
    by DeviceName,
       AccountName = InitiatingProcessAccountName,
       ProcessName = InitiatingProcessFileName,
       ProcessCommandLine = InitiatingProcessCommandLine,
       ParentProcess = InitiatingProcessParentFileName,
       ParentCommandLine = InitiatingProcessParentCommandLine,
       bin(Timestamp, 5m)
  | where FileCount >= 5
  | extend EncryptionType = strcat("BulkCustomExtension:", FileCount, " files")
  | project Timestamp, DeviceName, AccountName, ProcessName,
           ProcessCommandLine, ParentProcess, ParentCommandLine,
           EncryptionType, DetectionBranch = "BulkEncryptedFiles";
ScriptBasedCustomCrypto
| union BulkCustomExtensionCreation
| sort by Timestamp desc
high severity medium confidence

Detects T1560.003 Archive via Custom Method through two complementary branches. Branch 1 monitors scripting engines (PowerShell, Python, WScript, CScript) for command-line arguments containing XOR operations (-bxor, BitXor, xorkey, 0xAA, 0x23), custom cipher keywords (blowfish, rc4, arcfour, stream cipher), and byte manipulation patterns characteristic of inline custom encryption. Branch 2 detects high-volume creation of files with extensions associated with custom archiver output (.sft from StrongPity, .enc, .crypt, .xor, .locked) by processes other than known standard archive utilities, within a 5-minute rolling window with a threshold of 5+ files. Together these branches cover script-level implementations and compiled implant output patterns.

Data Sources

Process: Process CreationCommand: Command ExecutionFile: File CreationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Enterprise backup and DLP software (VeraCrypt preparation scripts, enterprise encryption agents) creating .enc or .crypt files in bulk during scheduled backup operations
  • Software developers writing and testing custom encryption libraries or XOR-based data serialization code on developer workstations — the -bxor operator has legitimate scripting uses
  • In-house data processing pipelines or ETL jobs that use custom non-standard file extensions for intermediate processing artifacts
  • Security assessment tools and penetration testing frameworks implementing XOR transforms during authorized engagements
  • Ransomware simulation tools (RanSim, SafeKit) used by security teams for testing detection coverage that produce bulk encrypted output files
Download portable Sigma rule (.yml)

Other platforms for T1560.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Single-Byte XOR Encryption of Staged Files (FIN6-style)

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0xAA', 'ReadAllBytes', and 'WriteAllBytes'. Sysmon Event ID 11: 3 FileCreate events for .enc files in %TEMP%\xor_out. PowerShell ScriptBlock Log Event ID 4104 capturing full encryption loop with key constant 0xAA. DeviceFileEvents: FileCreated events for each .enc output file with InitiatingProcessFileName=powershell.exe.

  2. Test 2Python Custom RC4 Stream Cipher Encryption (Rising Sun-style)

    Expected signal: Sysmon Event ID 1: python3.exe Process Create with CommandLine containing 'rc4_encrypt', 'xorkey', and 'base64' keywords. Sysmon Event ID 11: 2 FileCreate events for .crypt files in %TEMP%\rc4_out. DeviceProcessEvents: python3.exe with ProcessCommandLine matching rc4 and xorkey patterns.

  3. Test 3PowerShell Byte Rotation with XOR (SPACESHIP/APT30-style)

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0x23', '-shl', '-shr', '-band'. Sysmon Event ID 11: FileCreate event for spaceship_test.xor in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 with full rotation and XOR implementation including the 0x23 constant.

  4. Test 4Bulk .sft File Creation (StrongPity-style Custom Archive Output)

    Expected signal: Sysmon Event ID 11: 8 FileCreate events for archive_part1.sft through archive_part8.sft all within seconds, from powershell.exe in %TEMP%\sft_staging. DeviceFileEvents: 8 FileCreated entries with .sft extension, InitiatingProcessFileName=powershell.exe. No encryption keywords appear in the command line — this test validates that the file-creation branch catches compiled implant output patterns.

Last updated: 2026-04-14 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1560.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1560Archive Collected Data

Related Sub-techniques

T1560.001Archive via UtilityT1560.002Archive via Library

Related Techniques

T1560Archive Collected DataT1560.001Archive via UtilityT1560.002Archive via LibraryT1074.001Local Data StagingT1005Data from Local SystemT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1027Obfuscated Files or InformationT1027.013Encrypted/Encoded FileT1132.001Standard Encoding

Same Tactic: Collection

Popular Detections