title: Archive via Custom Method (T1560.003)
id: df00tech-t1560-003
status: experimental
description: "An adversary may compress or encrypt data collected prior to exfiltration using a custom method rather than standard archive utilities. Custom implementations include XOR loops with static keys, stream ciphers (RC4, ChaCha20), block ciphers (Blowfish), byte rotation schemes, and substitution ciphers — all implemented inline in malware code or scripts without referencing external libraries or system utilities. This technique allows adversaries to transform staged data in a way that evades detection rules targeting standard archivers (7-Zip, WinRAR, zip) while also obfuscating data contents during staging and exfiltration. Threat actors employing this technique include FIN6 (single-byte XOR with key 0xAA, plus Base64 with character permutation), CopyKittens (substitution cipher), and malware families including Attor (custom Blowfish+RSA), BLUELIGHT (XOR binary blob), StrongPity (repeated XOR producing .sft archive parts), Duqu (zlib+XOR), RGDoor (XOR before C2 transmission), RawPOS (XOR-encoded POS card data), and FoggyWeb (dynamic XOR key with WebP steganography)."
references:
  - https://attack.mitre.org/techniques/T1560/003/
  - https://df00tech.com/detections/T1560.003
author: df00tech
date: 2026/04/14
tags:
  - attack.t1560.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Enterprise backup and DLP software (VeraCrypt preparation scripts, enterprise encryption agents) creating .enc or .crypt files in bulk during scheduled backup operations"
  - Software developers writing and testing custom encryption libraries or XOR-based data serialization code on developer workstations — the -bxor operator has legitimate scripting uses
  - In-house data processing pipelines or ETL jobs that use custom non-standard file extensions for intermediate processing artifacts
  - Security assessment tools and penetration testing frameworks implementing XOR transforms during authorized engagements
  - "Ransomware simulation tools (RanSim, SafeKit) used by security teams for testing detection coverage that produce bulk encrypted output files"
level: high