title: Archive via Library (T1560.002) id: df00tech-t1560-002 status: experimental description: "Adversaries may compress or encrypt collected data prior to exfiltration using third-party or built-in programming libraries rather than standalone archival utilities. Libraries such as Python's zlib, bzip2, gzip, zipfile, and rarfile modules; .NET's System.IO.Compression (GZipStream, DeflateStream, ZipArchive); C libraries libzip and zlib; and platform-native libraries enable adversaries to compress and encrypt data programmatically within a running process. Because no separate archival utility process (7-Zip, WinRAR, tar) is spawned, this technique evades detections focused on command-line archivers. Malware families including TajMahal, LunarWeb, SeaDuke, BBSRAT, InvisiMole, and Denis have all used library-based compression to stage and exfiltrate collected data." references: - https://attack.mitre.org/techniques/T1560/002/ - https://df00tech.com/detections/T1560.002 author: df00tech date: 2026/04/13 tags: - attack.t1560.002 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: process_creation product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Legitimate Python data science or ETL pipelines that compress output files using zlib or gzip before writing to storage (Spark, Pandas, Airflow DAGs)" - Software installers and update agents that use zlib/bzip2 for package decompression and compression during installation - PowerShell-based backup or log rotation scripts that use System.IO.Compression.GZipStream to compress old logs or create compressed archives - "Developer workstations running build tools (Maven, Gradle, npm) that link against or load compression libraries during compilation and packaging" - "Monitoring and APM agents (Datadog, New Relic, Elastic APM) that compress telemetry payloads before sending to collection endpoints" level: medium