title: Archive Collected Data (T1560)
id: df00tech-t1560
status: experimental
description: "Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration and can be performed using a utility, third-party library, or custom method. Common tools include 7-Zip, WinRAR, the Windows built-in compact and certutil utilities, PowerShell Compress-Archive and .NET IO.Compression classes, and tar/gzip/openssl on Linux and macOS. Threat actors including Dragonfly, Lazarus Group, Ember Bear, BlackByte, and Axiom have all used archiving and encryption as a pre-exfiltration staging step. Sub-techniques cover archive via utility (T1560.001), archive via library (T1560.002), and archive via custom method (T1560.003)."
references:
  - https://attack.mitre.org/techniques/T1560/
  - https://df00tech.com/detections/T1560
author: df00tech
date: 2026/04/14
tags:
  - attack.t1560
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT backup and archiving jobs (Veeam, Acronis, custom scripts) that use 7-Zip or WinRAR with passwords to protect backup archives"
  - Software release pipelines packaging artifacts into password-protected zip files for deployment
  - DBA scripts compressing and encrypting database exports or log files before offsite transfer
  - "certutil legitimately used by PKI administrators to encode/decode certificate files (.cer, .p7b) for transport"
  - "PowerShell-based software deployment tools (SCCM, Intune, Ansible) using Compress-Archive to bundle installation packages"
level: medium