Detecting Archive Collected Data (T1560) with SIEM

What is archive collected data (T1560)?

Archive Collected Data (T1560) is a MITRE ATT&CK technique that describes how adversaries compress and/or encrypt collected data prior to exfiltration. After gathering target data and staging it in a central location, attackers package it into archives to reduce transfer size, simplify the exfiltration process, and evade data loss prevention (DLP) controls that inspect file contents.

MITRE defines three sub-techniques:

• Archive via Utility: Using standard compression utilities like 7-Zip, WinRAR, zip, or tar to create archives. This is the most common method because these tools are widely available and produce password-protected archives that resist inspection.
• Archive via Library: Using programming language libraries (Python zipfile, .NET System.IO.Compression, Go archive/zip) to create archives programmatically within malware or scripts.
• Archive via Custom Method: Using custom or proprietary compression/encryption schemes within malware. This is harder to detect by tool signature but creates recognizable file signatures.

Archive creation is observed in over 80% of data theft incidents according to Mandiant's incident response data. Ransomware groups use it universally - Black Basta, LockBit, ALPHV/BlackCat, and Cl0p all archive data before exfiltration. The CrowdStrike 2025 Global Threat Report noted that encrypted archives are now the default pre-exfiltration technique because they defeat both network-based DLP and endpoint content inspection.

Why attackers archive data before exfiltration

• Defeat DLP inspection: Password-protected 7-Zip and WinRAR archives use AES-256 encryption. DLP tools cannot inspect the contents of encrypted archives, allowing attackers to bypass content-matching policies that would otherwise block sensitive data transfer.
• Reduce transfer size: Compression ratios of 60-90% on document-heavy data sets mean terabytes of stolen data can be reduced to hundreds of gigabytes, enabling faster exfiltration over bandwidth-limited C2 channels.
• Simplify transfer: Instead of exfiltrating thousands of individual files (which creates thousands of individual network events), a single large archive simplifies the transfer and reduces the number of detectable network events.
• Chunk for reliability: Multi-part archives (split into fixed-size volumes) allow resumable transfers over unstable C2 connections. If one chunk fails, only that piece needs retransmission.
• Obfuscate content: Archive filenames can be innocuous (update.zip, backup.7z, report.rar) while containing exfiltrated data. This makes manual review of network transfers less effective.

Threat groups known to use T1560

How archive attacks work

Method 1: 7-Zip with AES encryption (T1560.001)

The most common method. Attackers use 7-Zip's command-line interface to create AES-256 encrypted archives with file header encryption enabled (flag: -mhe=on), which hides even the filenames from inspection.

Detection signals

• Process: 7z.exe or 7za.exe (standalone version)
• Command-line contains: -p (password flag), -mhe=on (header encryption)
• Source path: staging directory, ProgramData, temp, or network share path
• Context: executed by non-standard account, after hours, on server with no archive history

Method 2: WinRAR with password protection (T1560.001)

Method 3: PowerShell compress-archive (T1560.001)

Method 4: Custom malware compression (T1560.003)

Advanced threat groups embed compression directly in their malware using programming libraries. The archive is created in memory or written directly, without spawning recognizable archive tool processes.

Detect and investigate with Log360

Log360's 7 prebuilt T1560 detection rules

Investigation workflow

• Identify the archive and source - Determine which archive tool was used, what directory was archived, and where the archive was written. Check the process command-line for the full path and encryption flags.
• Assess sensitivity - Determine whether the source directory contains sensitive data. Cross-reference with known file share classifications and DLP labels.
• Check for staging - Look for prior data staging (T1074) activity. Was data from multiple sources consolidated into the directory that was archived?
• Check for exfiltration - Has the archive already been transferred? Look for outbound network events, cloud uploads, or file access by processes associated with known C2 tools.
• Determine archive size - Calculate the total archive size. This indicates the scale of potential data loss and helps with regulatory notification requirements.
• Contain - Quarantine the archive file, disable the compromised account, and block outbound transfers from the host. Preserve the archive as evidence for breach scope assessment.

Remediation and prevention

• Restrict archive tool execution - Use AppLocker or WDAC to limit 7z.exe, rar.exe, and WinRAR.exe execution to approved users and approved source directories. Block these tools on servers that have no legitimate compression need.
• Monitor command-line arguments - Configure process creation auditing to capture full command lines. Alert specifically on password flags (-p, -hp, -mhe=on) combined with sensitive source paths.
• Baseline archive behavior - Use Log360's UEBA to build baselines of which accounts normally create archives and from which directories. Any deviation should trigger investigation.
• Block split archives - Multi-volume archives (split into chunks) have no legitimate business purpose in most environments. Alert on any creation of split-volume archives.
• Script block logging - Enable PowerShell Script Block Logging to capture Compress-Archive usage and custom compression scripts that would not appear in process creation events.
• Restrict archive in staging paths - Configure file system monitoring rules that specifically flag archive file creation (*.7z, *.rar, *.zip, *.tar.gz) in known staging locations.

Need to explore ManageEngine Log360? Schedule a personalized demo

FAQ