T1560 IBM QRadar · QRadar

Detect Archive Collected Data in IBM QRadar

Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration and can be performed using a utility, third-party library, or custom method. Common tools include 7-Zip, WinRAR, the Windows built-in compact and certutil utilities, PowerShell Compress-Archive and .NET IO.Compression classes, and tar/gzip/openssl on Linux and macOS. Threat actors including Dragonfly, Lazarus Group, Ember Bear, BlackByte, and Axiom have all used archiving and encryption as a pre-exfiltration staging step. Sub-techniques cover archive via utility (T1560.001), archive via library (T1560.002), and archive via custom method (T1560.003).

MITRE ATT&CK

Tactic
Collection
Technique
T1560 Archive Collected Data
Canonical reference
https://attack.mitre.org/techniques/T1560/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username,
  "Process Name" AS process_name,
  "Process Command Line" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Process Name") LIKE ANY ('%\\7z.exe', '%\\7za.exe', '%\\7zr.exe', '%\\rar.exe', '%\\winrar.exe')
         AND (LOWER("Process Command Line") LIKE '% -hp%'
              OR LOWER("Process Command Line") LIKE '%-pass%'
              OR LOWER("Process Command Line") LIKE '%-password%')
      THEN 'Password-Protected Archive'
    WHEN LOWER("Process Name") LIKE ANY ('%\\7z.exe', '%\\7za.exe', '%\\7zr.exe', '%\\rar.exe', '%\\winrar.exe')
         AND LOWER("Parent Process Name") LIKE ANY ('%\\winword.exe', '%\\excel.exe', '%\\outlook.exe',
              '%\\powerpnt.exe', '%\\mshta.exe', '%\\wscript.exe', '%\\cscript.exe',
              '%\\mmc.exe', '%\\regsvr32.exe', '%\\rundll32.exe')
      THEN 'Archive via Suspicious Parent'
    WHEN LOWER("Process Name") LIKE ANY ('%\\powershell.exe', '%\\pwsh.exe')
         AND (LOWER("Process Command Line") LIKE '%compress-archive%'
              OR LOWER("Process Command Line") LIKE '%io.compression%'
              OR LOWER("Process Command Line") LIKE '%gzipstream%'
              OR LOWER("Process Command Line") LIKE '%deflatestream%'
              OR LOWER("Process Command Line") LIKE '%ziparchive%')
      THEN 'PowerShell .NET Compression'
    WHEN LOWER("Process Name") LIKE '%\\certutil.exe'
         AND (LOWER("Process Command Line") LIKE '%-encode%'
              OR LOWER("Process Command Line") LIKE '%-encodehex%')
      THEN 'CertUtil Encoding'
    ELSE 'Suspicious Archive Activity'
  END AS detection_type
FROM events
WHERE
  devicetime > NOW() - 86400000
  AND (
    (
      LOWER("Process Name") LIKE ANY ('%\\7z.exe', '%\\7za.exe', '%\\7zr.exe', '%\\rar.exe', '%\\winrar.exe')
      AND (
        LOWER("Process Command Line") LIKE '% -hp%'
        OR LOWER("Process Command Line") LIKE '%-pass%'
        OR LOWER("Process Command Line") LIKE '%-password%'
        OR LOWER("Parent Process Name") LIKE ANY (
          '%\\winword.exe', '%\\excel.exe', '%\\outlook.exe', '%\\powerpnt.exe',
          '%\\mshta.exe', '%\\wscript.exe', '%\\cscript.exe',
          '%\\mmc.exe', '%\\regsvr32.exe', '%\\rundll32.exe'
        )
      )
    )
    OR (
      LOWER("Process Name") LIKE ANY ('%\\powershell.exe', '%\\pwsh.exe')
      AND (
        LOWER("Process Command Line") LIKE '%compress-archive%'
        OR LOWER("Process Command Line") LIKE '%io.compression%'
        OR LOWER("Process Command Line") LIKE '%gzipstream%'
        OR LOWER("Process Command Line") LIKE '%deflatestream%'
        OR LOWER("Process Command Line") LIKE '%ziparchive%'
      )
    )
    OR (
      LOWER("Process Name") LIKE '%\\certutil.exe'
      AND (
        LOWER("Process Command Line") LIKE '%-encode%'
        OR LOWER("Process Command Line") LIKE '%-encodehex%'
      )
    )
  )
ORDER BY devicetime DESC
high severity high confidence

IBM QRadar AQL detection for T1560 Archive Collected Data. Queries normalized process creation events (sourced from Sysmon EventCode 1 or Windows Security 4688 log sources with command-line auditing enabled) for four indicator patterns: password-protected archive creation, archive tools spawned by Office or scripting engine parents, PowerShell .NET compression class usage, and CertUtil base64 encoding. Produces a labeled detection_type column for triage prioritization.

Data Sources

Sysmon log source (EventCode 1 — Process Create) forwarded to QRadarWindows Security Event Log (EventID 4688 with Process Command Line auditing enabled)Microsoft Windows Security Event Log DSM

Required Tables

events (QRadar normalized event store)Sysmon DSM log source with Process Name, Process Command Line, Parent Process Name fields parsed

False Positives & Tuning

  • Automated patch management systems (WSUS, ManageEngine, Ivanti) that use PowerShell Compress-Archive to bundle patches before deployment — verify against known patching service accounts and scheduled maintenance windows
  • Enterprise DLP or CASB tooling that invokes CertUtil to encode files during content inspection workflows — cross-reference log source IP against known DLP infrastructure
  • Password-protected archive creation by end users for legitimate file sharing via email or file transfer portals — high volume on specific hosts during business hours with consistent users suggests non-malicious activity
Download portable Sigma rule (.yml)

Other platforms for T1560

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 17-Zip Password-Protected Archive of Sensitive Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in 7z.exe, CommandLine containing '-hp' and 'staged_exfil.zip'. Sysmon Event ID 11: File Create event for C:\Windows\Temp\staged_exfil.zip with InitiatingProcessFileName=7z.exe. Security Event ID 4688 (if process command line auditing enabled) with same details.

  2. Test 2PowerShell Compress-Archive Staging in Temp Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Compress-Archive' and 'C:\Windows\Temp\recent_files_staged.zip'. Sysmon Event ID 11: File Create for the zip archive. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with full cmdlet and path.

  3. Test 3certutil Base64 Encode Binary File

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-encode' and 'encoded_payload.txt'. Sysmon Event ID 11: File Create for C:\Windows\Temp\encoded_payload.txt. Security Event ID 4688 with the same certutil command line if process auditing is enabled.

  4. Test 4Linux tar + gzip Collection and Staging

    Expected signal: Auditd execve record: type=EXECVE with argv containing 'tar' 'czf' '/tmp/sys_backup_...' '/etc/passwd' '/etc/shadow'. Syslog process creation record (if auditd not deployed). File creation event for /tmp/sys_backup_*.tar.gz. If using a SIEM with Linux file integrity monitoring, alert on new file creation in /tmp matching *.tar.gz by root or privileged account.

  5. Test 5WinRAR Archive with Password and Locked Headers

    Expected signal: Sysmon Event ID 1: Process Create with Image ending rar.exe, CommandLine containing '-hp' and 'staging.rar'. Sysmon Event ID 11: File Create for C:\ProgramData\Microsoft\staging.rar with InitiatingProcessFileName=rar.exe. Security Event ID 4688 with full command line.

Last updated: 2026-04-14 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1560 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1560.001Archive via UtilityT1560.002Archive via LibraryT1560.003Archive via Custom MethodT1005Data from Local SystemT1039Data from Network Shared DriveT1074Data StagedT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1567Exfiltration Over Web ServiceT1059.001PowerShellT1003.001LSASS MemoryT1003.003NTDS

Same Tactic: Collection

Popular Detections