T1560.003 Sumo Logic CSE · Sumo

Detect Archive via Custom Method in Sumo Logic CSE

An adversary may compress or encrypt data collected prior to exfiltration using a custom method rather than standard archive utilities. Custom implementations include XOR loops with static keys, stream ciphers (RC4, ChaCha20), block ciphers (Blowfish), byte rotation schemes, and substitution ciphers — all implemented inline in malware code or scripts without referencing external libraries or system utilities. This technique allows adversaries to transform staged data in a way that evades detection rules targeting standard archivers (7-Zip, WinRAR, zip) while also obfuscating data contents during staging and exfiltration. Threat actors employing this technique include FIN6 (single-byte XOR with key 0xAA, plus Base64 with character permutation), CopyKittens (substitution cipher), and malware families including Attor (custom Blowfish+RSA), BLUELIGHT (XOR binary blob), StrongPity (repeated XOR producing .sft archive parts), Duqu (zlib+XOR), RGDoor (XOR before C2 transmission), RawPOS (XOR-encoded POS card data), and FoggyWeb (dynamic XOR key with WebP steganography).

MITRE ATT&CK

Tactic
Collection
Technique
T1560 Archive Collected Data
Sub-technique
T1560.003 Archive via Custom Method
Canonical reference
https://attack.mitre.org/techniques/T1560/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="*sysmon*" OR _sourceCategory="OS/Windows" OR _sourceCategory="windows/sysmon")
| parse regex "<EventID>(?<EventCode>\\d+)<\/EventID>" nodrop
| parse regex "Name='CommandLine'>(?<CommandLine>[^<]+)" nodrop
| parse regex "Name='Image'>(?<ProcessImage>[^<]+)" nodrop
| parse regex "Name='ParentCommandLine'>(?<ParentCommandLine>[^<]+)" nodrop
| parse regex "Name='TargetFilename'>(?<TargetFilename>[^<]+)" nodrop
| parse regex "Name='User'>(?<User>[^<]+)" nodrop
| parse regex "Name='ParentImage'>(?<ParentImage>[^<]+)" nodrop
| where EventCode = "1" OR EventCode = "11"
| eval CmdLow = toLowerCase(CommandLine)
| eval XORMatch = if (
    CmdLow matches "*-bxor*" OR CmdLow matches "*bitxor*" OR CmdLow matches "*xorkey*"
    OR CmdLow matches "*xor_key*" OR CmdLow matches "*xorbytes*" OR CmdLow matches "*xorencrypt*"
    OR CmdLow matches "*0xaa*" OR CmdLow matches "*0x23*" OR CmdLow matches "*bxor 0x*"
    OR CmdLow matches "*bytexor*" OR CmdLow matches "*xorfile*",
    1, 0
  )
| eval CryptoMatch = if (
    CmdLow matches "*blowfish*" OR CmdLow matches "* rc4 *" OR CmdLow matches "*arcfour*"
    OR CmdLow matches "*rot13*" OR CmdLow matches "*rotl(*" OR CmdLow matches "*rotr(*"
    OR CmdLow matches "*xor cipher*" OR CmdLow matches "*xor encrypt*"
    OR CmdLow matches "*custom encrypt*" OR CmdLow matches "*stream cipher*",
    1, 0
  )
| eval IsScriptBranch = if (
    EventCode = "1"
    AND (XORMatch = 1 OR CryptoMatch = 1)
    AND (
      ProcessImage matches "*\\powershell.exe" OR ProcessImage matches "*\\pwsh.exe"
      OR ProcessImage matches "*\\python.exe" OR ProcessImage matches "*\\python3.exe"
      OR ProcessImage matches "*\\wscript.exe" OR ProcessImage matches "*\\cscript.exe"
      OR ProcessImage matches "*\\cmd.exe"
    ),
    1, 0
  )
| eval IsFileBranch = if (
    EventCode = "11"
    AND (
      TargetFilename matches "*.sft" OR TargetFilename matches "*.enc"
      OR TargetFilename matches "*.crypt" OR TargetFilename matches "*.xor"
      OR TargetFilename matches "*.locked" OR TargetFilename matches "*.rms"
    )
    AND NOT (
      ProcessImage matches "*\\7z.exe" OR ProcessImage matches "*\\winrar.exe"
      OR ProcessImage matches "*\\winzip.exe" OR ProcessImage matches "*\\zip.exe"
      OR ProcessImage matches "*\\tar.exe" OR ProcessImage matches "*\\gzip.exe"
      OR ProcessImage matches "*\\bzip2.exe"
    )
    AND NOT (
      TargetFilename matches "*\\Windows\\*" OR TargetFilename matches "*\\Program Files\\*"
    ),
    1, 0
  )
| where IsScriptBranch = 1 OR IsFileBranch = 1
| eval DetectionBranch = if (IsScriptBranch = 1, "ScriptCustomCrypto", "BulkEncryptedFiles")
| eval EncryptionType = if (
    IsScriptBranch = 1,
    if (XORMatch = 1, "XOR-based", "Custom-cipher"),
    concat("SuspiciousExtension:", TargetFilename)
  )
| timeslice 5m
| count by _timeslice, host, User, ProcessImage, CommandLine, TargetFilename, ParentImage, DetectionBranch, EncryptionType
| where DetectionBranch = "ScriptCustomCrypto" OR (DetectionBranch = "BulkEncryptedFiles" AND _count >= 5)
| sort by _timeslice desc
high severity medium confidence

Sumo Logic detection for T1560.003 Archive via Custom Method using Sysmon XML event parsing. Parses EventCode 1 (Process Create) and EventCode 11 (File Create) from Sysmon Operational XML. Branch 1 identifies scripting hosts whose command line carries XOR operator keywords or named cipher identifiers, computing XORMatch and CryptoMatch scores. Branch 2 fires when 5 or more files with suspicious encrypted extensions are created within a 5-minute window by a non-archiver process outside system paths. Adjust _sourceCategory to match your Sumo Logic collector configuration for Windows/Sysmon events.

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Microsoft-Windows-Sysmon/Operational channel)Sumo Logic Cloud-to-Cloud source for Microsoft Defender for Endpoint events (normalized)Sumo Logic CSE (Cloud SIEM Enterprise) with Windows normalized schema

Required Tables

Sumo Logic partition or index containing Sysmon Operational XML events (EventCode 1 and 11)

False Positives & Tuning

  • IT automation scripts running PowerShell to manipulate permission flags or network packet bytes using -bxor, which is a standard PowerShell bitwise operator.
  • Data science or ML pipelines written in Python that import or reference RC4/arcfour by name for algorithm comparison benchmarks, even when not performing encryption.
  • Endpoint security or DLP products creating quarantine files with .enc or .crypt extensions, which would generate high-volume file creation events matching the bulk branch threshold.
  • Custom database backup scripts that stage encrypted exports using .enc extension before uploading to cloud storage; these may also run from non-standard process names.
  • Developers running unit tests or integration tests for cryptographic utility functions where test commands contain cipher names in arguments.
Download portable Sigma rule (.yml)

Other platforms for T1560.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Single-Byte XOR Encryption of Staged Files (FIN6-style)

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0xAA', 'ReadAllBytes', and 'WriteAllBytes'. Sysmon Event ID 11: 3 FileCreate events for .enc files in %TEMP%\xor_out. PowerShell ScriptBlock Log Event ID 4104 capturing full encryption loop with key constant 0xAA. DeviceFileEvents: FileCreated events for each .enc output file with InitiatingProcessFileName=powershell.exe.

  2. Test 2Python Custom RC4 Stream Cipher Encryption (Rising Sun-style)

    Expected signal: Sysmon Event ID 1: python3.exe Process Create with CommandLine containing 'rc4_encrypt', 'xorkey', and 'base64' keywords. Sysmon Event ID 11: 2 FileCreate events for .crypt files in %TEMP%\rc4_out. DeviceProcessEvents: python3.exe with ProcessCommandLine matching rc4 and xorkey patterns.

  3. Test 3PowerShell Byte Rotation with XOR (SPACESHIP/APT30-style)

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-bxor', '0x23', '-shl', '-shr', '-band'. Sysmon Event ID 11: FileCreate event for spaceship_test.xor in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 with full rotation and XOR implementation including the 0x23 constant.

  4. Test 4Bulk .sft File Creation (StrongPity-style Custom Archive Output)

    Expected signal: Sysmon Event ID 11: 8 FileCreate events for archive_part1.sft through archive_part8.sft all within seconds, from powershell.exe in %TEMP%\sft_staging. DeviceFileEvents: 8 FileCreated entries with .sft extension, InitiatingProcessFileName=powershell.exe. No encryption keywords appear in the command line — this test validates that the file-creation branch catches compiled implant output patterns.

Last updated: 2026-04-14 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1560.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1560Archive Collected Data

Related Sub-techniques

T1560.001Archive via UtilityT1560.002Archive via Library

Related Techniques

T1560Archive Collected DataT1560.001Archive via UtilityT1560.002Archive via LibraryT1074.001Local Data StagingT1005Data from Local SystemT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1027Obfuscated Files or InformationT1027.013Encrypted/Encoded FileT1132.001Standard Encoding

Same Tactic: Collection

Popular Detections