Archive Collected Data T1560

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Events covered

5 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 34 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (21 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine18contains 17, match 1, regex_match 1 -p, a , -hp, .dmp, .dump
OriginalFileName12eq 11, ends_with 1, in 1, wildcard 17z.exe, 7za.exe, 7zr.exe, 7z*.exe, bsdtar
Image10ends_with 10, contains 2\7z.exe, \7za.exe, \7zr.exe, \rar.exe, \tar.exe
process_name8eq 3, ne 2, regex_match 2, contains 1rar.exe, (?i)(winrar|rar|7z*|peazip|powerarc|bandizip|zipware|winz..., 7z.exe, 7za.exe, 7z
EventID6eq 64104, 4688
Description5contains 3, eq 27-zip, Command line RAR, WinRAR
ParentImage2contains 2/python3, :\program files (x86)\, :\program files\
ScriptBlockText2contains 2compress-archive, \\temp\\
TargetFilename2ends_with 1, in 1*\\appdata\\local\\temp\\*, *\\windows\\temp\\*, \\cookie.tar, \\passff.tar
event.type2eq 1, in 1change, creation, start
file_name2in 2*.7z, *.ccache, *.rar, *.tar, *_certipy.json
EfectiveCommand1regex_match 1regexEmpire
EventData1contains 1-encodedcommand, powershell.exe, powershell_ise.exe
EventType1eq 1load
Type1eq 1

Top indicator values (197 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
OriginalFileNameeq
7z.exe
45
OriginalFileNameeq
7za.exe
45
OriginalFileNameeq
7zr.exe
45
OriginalFileNameeq
bsdtar
22
OriginalFileNameeq
winrar.exe
23
CommandLinecontains
-p
34
CommandLinecontains
a
34
CommandLinecontains
-hp
24
CommandLinecontains
.dmp
210
CommandLinecontains
.dump
23
CommandLinecontains
.hdmp
23
CommandLinecontains
"administrador"
1
CommandLinecontains
"administrateur"
1
CommandLinecontains
"administrator"
1
CommandLinecontains
"administratör"
1
Descriptioncontains
7-zip
33
EventIDeq
4104
3268
EventIDeq
4688
3312
Imageends_with
\7z.exe
35
Imageends_with
\7za.exe
34
Imageends_with
\7zr.exe
34
Imageends_with
\rar.exe
35
Imageends_with
\tar.exe
22
Imageends_with
\winrar.exe
27
Descriptioneq
Command line RAR
23
ScriptBlockTextcontains
compress-archive
22
process_nameeq
7z.exe
22
process_nameeq
7za.exe
22
process_nameeq
rar.exe
22
process_nameregex_match
(?i)(winrar|rar|7z*|peazip|powerarc|bandizip|zipware|winzip*)\.exe
22

Exclusions (33 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinecontains
/active no
1
CommandLinecontains
guest
1
CommandLineregex_match
(Decompress)
1
EventDatacontains
gc_service.exe
1
EventDatacontains
gc_worker.exe
1
Imagecontains
:\program files (x86)\winrar\
1
Imagecontains
:\program files\winrar\
1
Imagecontains
:\windows\temp\
1
Imageends_with
\unrar.exe
1
Imageeq
c:\\program files\\vmware\\vmware tools\\7za.exe
1
Imagewildcard
?:\program files (x86)\*
1
Imagewildcard
?:\program files\*
1
Imagewildcard
?:\programdata\microsoft\windows defender advanced threat...
1
Imagewildcard
?:\windows\microsoft.net\framework*\mscorsvw.exe
1
Imagewildcard
?:\windows\system32\inetsrv\w3wp.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 16 rules

Elastic 3 rules

Splunk 14 rules

Kusto 1 rule