title: Archive via Utility (T1560.001)
id: df00tech-t1560-001
status: experimental
description: "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier or more secure to transport. Adversaries may abuse utilities such as 7-Zip, WinRAR, WinZip, tar, zip, and Windows built-ins like makecab/diantz and certutil to stage data for exfiltration. Password-protected archives are a common indicator as they prevent inspection by security tools. Threat actors including HAFNIUM, APT1, APT33, Volt Typhoon, Mustang Panda, menuPass, and Wizard Spider are documented using this technique."
references:
  - https://attack.mitre.org/techniques/T1560/001/
  - https://df00tech.com/detections/T1560.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1560.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators using 7-Zip or WinRAR for legitimate backup or file transfer operations
  - "Backup software agents (Veeam, Commvault, Acronis) that invoke archive utilities as part of scheduled backup jobs"
  - Software packaging tools and CI/CD pipelines that compress build artifacts before deployment
  - IT operations compressing log files or diagnostic data for vendor support cases
  - "makecab.exe invoked by Windows Update, software installers, and MSI packages as part of normal installation routines"
level: medium