T1560.001 — Archive via Utility

Technique

T1560.001

Tactics

Collection

MISP citations

0

KEV CVEs mapped

2

Community rules

17

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1560/001

MITRE description

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems. On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2021-44077
• CVE-2021-40539

Detection coverage

SigmaHQ community rules

• APT31 Judgement Panda Activity (emerging-threats)
• LiteLLM / TeamPCP Supply Chain Attack Indicators (emerging-threats)
• Password Protected Compressed File Extraction Via 7Zip (threat-hunting)
• Potentially Suspicious Compression Tool Parameters (threat-hunting)
• Data Compressed (core)
• Disk Image Mounting Via Hdiutil - MacOS (core)
• Cisco Stage Data (core)
• 7Zip Compressing Dump Files (core)
• Compress Data and Lock With Password for Exfiltration With 7-ZIP (core)
• Suspicious Manipulation Of Default Accounts Via Net.EXE (core)
• Files Added To An Archive Using Rar.EXE (core)
• Rar Usage with Password and Compression Level (core)
• Compressed File Creation Via Tar.EXE (core)
• Compressed File Extraction Via Tar.EXE (core)
• Winrar Compressing Dump Files (core)
• WinRAR Execution in Non-Standard Folder (core)
• Compress Data and Lock With Password for Exfiltration With WINZIP (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.