Detect Archive Collected Data in Sumo Logic CSE
Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration and can be performed using a utility, third-party library, or custom method. Common tools include 7-Zip, WinRAR, the Windows built-in compact and certutil utilities, PowerShell Compress-Archive and .NET IO.Compression classes, and tar/gzip/openssl on Linux and macOS. Threat actors including Dragonfly, Lazarus Group, Ember Bear, BlackByte, and Axiom have all used archiving and encryption as a pre-exfiltration staging step. Sub-techniques cover archive via utility (T1560.001), archive via library (T1560.002), and archive via custom method (T1560.003).
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1560 Archive Collected Data
- Canonical reference
- https://attack.mitre.org/techniques/T1560/
Sumo Detection Query
_sourceCategory=*windows/sysmon* OR _sourceCategory=*sysmon*
| where EventCode="1"
| eval image_lc=toLowerCase(Image)
| eval cmdline_lc=toLowerCase(CommandLine)
| eval parent_lc=toLowerCase(ParentImage)
| where (image_lc matches "*\\7z.exe" OR image_lc matches "*\\7za.exe" OR image_lc matches "*\\7zr.exe"
OR image_lc matches "*\\rar.exe" OR image_lc matches "*\\winrar.exe"
OR image_lc matches "*\\powershell.exe" OR image_lc matches "*\\pwsh.exe"
OR image_lc matches "*\\certutil.exe")
| eval is_archive=if(image_lc matches "*\\7z.exe" OR image_lc matches "*\\7za.exe" OR image_lc matches "*\\7zr.exe"
OR image_lc matches "*\\rar.exe" OR image_lc matches "*\\winrar.exe", 1, 0)
| eval password_protected=if(is_archive=1 AND (cmdline_lc contains " -hp" OR cmdline_lc contains "-pass" OR cmdline_lc contains "-password"), 1, 0)
| eval suspicious_parent=if(is_archive=1 AND (parent_lc matches "*\\winword.exe" OR parent_lc matches "*\\excel.exe"
OR parent_lc matches "*\\outlook.exe" OR parent_lc matches "*\\powerpnt.exe"
OR parent_lc matches "*\\mshta.exe" OR parent_lc matches "*\\wscript.exe"
OR parent_lc matches "*\\cscript.exe" OR parent_lc matches "*\\mmc.exe"
OR parent_lc matches "*\\regsvr32.exe" OR parent_lc matches "*\\rundll32.exe"), 1, 0)
| eval ps_compression=if((image_lc matches "*\\powershell.exe" OR image_lc matches "*\\pwsh.exe")
AND (cmdline_lc contains "compress-archive" OR cmdline_lc contains "io.compression"
OR cmdline_lc contains "gzipstream" OR cmdline_lc contains "deflatestream"
OR cmdline_lc contains "ziparchive"), 1, 0)
| eval certutil_encode=if(image_lc matches "*\\certutil.exe"
AND (cmdline_lc contains "-encode" OR cmdline_lc contains "-encodehex"), 1, 0)
| where password_protected=1 OR suspicious_parent=1 OR ps_compression=1 OR certutil_encode=1
| eval DetectionType=if(password_protected=1, "Password-Protected Archive",
if(suspicious_parent=1, "Archive via Suspicious Parent",
if(ps_compression=1, "PowerShell .NET Compression",
if(certutil_encode=1, "CertUtil Encoding", "Suspicious Archive Activity"))))
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType
| sort by _time descSumo Logic detection for T1560 Archive Collected Data using Sysmon EventCode 1 (Process Create) telemetry. Evaluates four threat patterns via layered eval flags: password-protected archive creation (highest fidelity), archive tools spawned by Office or scripting parents (macro staging), PowerShell .NET compression class invocations (library-based archiving), and CertUtil encoding (binary-to-text obfuscation). Each event is labeled with a DetectionType for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- IT staff using 7-Zip via scripted deployment tools (PDQ Deploy, Ansible) where the parent chain includes mmc.exe or wscript.exe — validate against known admin workstations and change management records
- PowerShell-based log archival scripts that compress old log files using Compress-Archive — corroborate with scheduled task ancestry and predictable destination paths under system directories
- CertUtil used legitimately for certificate enrollment or PKCS operations in environments with active PKI — whitelist specific host roles (CA servers, PKI workstations) and correlate with certificate management change tickets
Other platforms for T1560
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 17-Zip Password-Protected Archive of Sensitive Directory
Expected signal: Sysmon Event ID 1: Process Create with Image ending in 7z.exe, CommandLine containing '-hp' and 'staged_exfil.zip'. Sysmon Event ID 11: File Create event for C:\Windows\Temp\staged_exfil.zip with InitiatingProcessFileName=7z.exe. Security Event ID 4688 (if process command line auditing enabled) with same details.
- Test 2PowerShell Compress-Archive Staging in Temp Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Compress-Archive' and 'C:\Windows\Temp\recent_files_staged.zip'. Sysmon Event ID 11: File Create for the zip archive. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with full cmdlet and path.
- Test 3certutil Base64 Encode Binary File
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-encode' and 'encoded_payload.txt'. Sysmon Event ID 11: File Create for C:\Windows\Temp\encoded_payload.txt. Security Event ID 4688 with the same certutil command line if process auditing is enabled.
- Test 4Linux tar + gzip Collection and Staging
Expected signal: Auditd execve record: type=EXECVE with argv containing 'tar' 'czf' '/tmp/sys_backup_...' '/etc/passwd' '/etc/shadow'. Syslog process creation record (if auditd not deployed). File creation event for /tmp/sys_backup_*.tar.gz. If using a SIEM with Linux file integrity monitoring, alert on new file creation in /tmp matching *.tar.gz by root or privileged account.
- Test 5WinRAR Archive with Password and Locked Headers
Expected signal: Sysmon Event ID 1: Process Create with Image ending rar.exe, CommandLine containing '-hp' and 'staging.rar'. Sysmon Event ID 11: File Create for C:\ProgramData\Microsoft\staging.rar with InitiatingProcessFileName=rar.exe. Security Event ID 4688 with full command line.
References (13)
- https://attack.mitre.org/techniques/T1560/
- https://attack.mitre.org/techniques/T1560/001/
- https://attack.mitre.org/techniques/T1560/002/
- https://attack.mitre.org/techniques/T1560/003/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
- https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://www.cisa.gov/sites/default/files/publications/AA18-074A_MAR-10135536-G.PDF
- https://securelist.com/toddycat-check-logs/110696/
- https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1560 including response playbook, investigation guide, and atomic red team tests.