Detect Archive via Custom Method in Splunk
An adversary may compress or encrypt data collected prior to exfiltration using a custom method rather than standard archive utilities. Custom implementations include XOR loops with static keys, stream ciphers (RC4, ChaCha20), block ciphers (Blowfish), byte rotation schemes, and substitution ciphers — all implemented inline in malware code or scripts without referencing external libraries or system utilities. This technique allows adversaries to transform staged data in a way that evades detection rules targeting standard archivers (7-Zip, WinRAR, zip) while also obfuscating data contents during staging and exfiltration. Threat actors employing this technique include FIN6 (single-byte XOR with key 0xAA, plus Base64 with character permutation), CopyKittens (substitution cipher), and malware families including Attor (custom Blowfish+RSA), BLUELIGHT (XOR binary blob), StrongPity (repeated XOR producing .sft archive parts), Duqu (zlib+XOR), RGDoor (XOR before C2 transmission), RawPOS (XOR-encoded POS card data), and FoggyWeb (dynamic XOR key with WebP steganography).
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1560 Archive Collected Data
- Sub-technique
- T1560.003 Archive via Custom Method
- Canonical reference
- https://attack.mitre.org/techniques/T1560/003/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe")
| eval CommandLineLower=lower(CommandLine)
| eval XORPattern=if(match(CommandLineLower, "(-bxor|bitxor|xorkey|xor_key|xorbytes|xorencrypt|0xaa|0x23|bxor 0x|bytearray)"), 1, 0)
| eval CustomCrypto=if(match(CommandLineLower, "(\\brc4\\b|arcfour|blowfish|stream.cipher|substitution|rot13|rotl\\(|rotr\\(|custom.encrypt|xor.cipher|xor.encrypt)"), 1, 0)
| eval SuspicionScore=XORPattern + CustomCrypto
| where SuspicionScore > 0
| eval DetectionBranch="ScriptCustomCrypto"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, XORPattern, CustomCrypto, SuspicionScore, DetectionBranch
| append [
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
(TargetFilename="*.sft" OR TargetFilename="*.enc" OR TargetFilename="*.crypt" OR TargetFilename="*.xor" OR TargetFilename="*.locked" OR TargetFilename="*.rms")
NOT (Image="*\\7z.exe" OR Image="*\\winrar.exe" OR Image="*\\winzip.exe" OR Image="*\\zip.exe" OR Image="*\\tar.exe" OR Image="*\\gzip.exe")
NOT (TargetFilename="*\\Windows\\*" OR TargetFilename="*\\Program Files\\*")
| bin _time span=5m
| stats count as FileCount, values(TargetFilename) as SampleFiles, values(Image) as Images, first(User) as User by host, Image, CommandLine, _time
| where FileCount >= 5
| eval DetectionBranch="BulkEncryptedFiles", SuspicionScore=2, XORPattern=0, CustomCrypto=0
| eval ParentImage="unknown", ParentCommandLine="unknown"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, XORPattern, CustomCrypto, SuspicionScore, DetectionBranch
]
| sort - _timeDetects T1560.003 Archive via Custom Method through two Sysmon-based branches combined via append. Branch 1 searches EventCode=1 (Process Creation) for scripting engines (PowerShell, Python, WScript, CScript) with XOR operator keywords (-bxor, bitxor, xorkey, 0xAA, 0x23) or custom cipher keywords (rc4, blowfish, arcfour, stream cipher) in the command line, assigning a suspicion score for prioritization. Branch 2 searches EventCode=11 (File Creation) for files with custom encrypted extensions (.sft, .enc, .crypt, .xor, .locked, .rms) created by non-archiver processes, alerting when 5+ such files appear within a 5-minute window.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Enterprise backup and encryption software creating .enc or .crypt files in bulk during scheduled backup operations — exclude by process name and scheduled time window
- Software developers writing and testing custom encryption libraries with XOR or RC4 implementations on developer workstations
- Custom in-house archival solutions using non-standard file extensions as part of their designed workflow
- Security tools and authorized red team frameworks creating files with custom extensions during penetration testing engagements
- Ransomware simulation tools (RanSim, SafeKit) used by security teams for validating detection coverage
Other platforms for T1560.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Single-Byte XOR Encryption of Staged Files (FIN6-style)
Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0xAA', 'ReadAllBytes', and 'WriteAllBytes'. Sysmon Event ID 11: 3 FileCreate events for .enc files in %TEMP%\xor_out. PowerShell ScriptBlock Log Event ID 4104 capturing full encryption loop with key constant 0xAA. DeviceFileEvents: FileCreated events for each .enc output file with InitiatingProcessFileName=powershell.exe.
- Test 2Python Custom RC4 Stream Cipher Encryption (Rising Sun-style)
Expected signal: Sysmon Event ID 1: python3.exe Process Create with CommandLine containing 'rc4_encrypt', 'xorkey', and 'base64' keywords. Sysmon Event ID 11: 2 FileCreate events for .crypt files in %TEMP%\rc4_out. DeviceProcessEvents: python3.exe with ProcessCommandLine matching rc4 and xorkey patterns.
- Test 3PowerShell Byte Rotation with XOR (SPACESHIP/APT30-style)
Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0x23', '-shl', '-shr', '-band'. Sysmon Event ID 11: FileCreate event for spaceship_test.xor in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 with full rotation and XOR implementation including the 0x23 constant.
- Test 4Bulk .sft File Creation (StrongPity-style Custom Archive Output)
Expected signal: Sysmon Event ID 11: 8 FileCreate events for archive_part1.sft through archive_part8.sft all within seconds, from powershell.exe in %TEMP%\sft_staging. DeviceFileEvents: 8 FileCreated entries with .sft extension, InitiatingProcessFileName=powershell.exe. No encryption keywords appear in the command line — this test validates that the file-creation branch catches compiled implant output patterns.
References (11)
- https://attack.mitre.org/techniques/T1560/003/
- http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
- https://www.welivesecurity.com/2019/10/10/eset-discovery-attor-spy-platform/
- https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/
- https://www.fireeye.com/blog/threat-research/2016/04/follow_the_money_dissecting_the_operations_of_the_cyber_crime_group_fin6.html
- https://documents.trendmicro.com/assets/white_papers/wp-follow-the-money-dissecting-the-operations-of-the-cyber-crime-group-fin6.pdf
- https://www.microsoft.com/en-us/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.003/T1560.003.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.sentinelone.com/labs/metador-a-look-at-a-long-running-espionage-actor/
Unlock Pro Content
Get the full detection package for T1560.003 including response playbook, investigation guide, and atomic red team tests.