Archive Collected Data

What is Archive Collected Data?

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender or network appliance. Archiving collected data is a critical step in the attack chain between collection and exfiltration that is often detectable if appropriate monitoring is in place. Common tools used for archiving include 7-Zip, WinRAR, tar, and zip. Attackers frequently use password-protected archives to prevent security tools from inspecting the contents. The combination of large file creation in temporary or unusual directories followed by network connections sending data in volumes matching the archive size is a reliable indicator of imminent data exfiltration.

“Archive Collected Data is documented as technique T1560 in the MITRE ATT&CK knowledge base under the Collection tactic. Detection requires visibility into XDR, SIEM telemetry.”

Detection Strategies

The following detection strategies help SOC analysts identify Archive Collected Data activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.

1. 1

   Monitor compression utility execution including 7z.exe, rar.exe, and zip.exe with password flags such as -p, -hp, and their equivalents, as password-protected archive creation is a strong indicator of data staging for exfiltration.

2. 2

   Alert on large archive file creation in unusual directories such as temporary folders, user desktops, recycle bins, or hidden directories, particularly when the archive is created by a process with no legitimate archiving function.

3. 3

   Correlate archive creation events with data access patterns, alerting when archive creation follows periods of mass file access across sensitive directories, indicating that collected data is being packaged for exfiltration.

4. 4

   Detect split archive creation using multi-volume flags in compression tools, as attackers sometimes split large archives into smaller chunks to evade transfer size-based detection controls or to fit within exfiltration channel limitations.

5. 5

   Monitor the size relationship between data accessed and archives created, as a rough size correlation between recently accessed files and a newly created archive provides strong evidence that the archive contains the accessed data staged for theft.

Example Alerts

These realistic alert examples show what Archive Collected Data looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.

Frequently Asked Questions

How do SOC analysts detect Archive Collected Data?

SOC analysts detect Archive Collected Data (T1560) by monitoring XDR, SIEM telemetry for behavioral anomalies and specific indicators. Key detection methods include monitor compression utility execution including 7z.exe, rar.exe, and zip.exe with password flags such as -p, -hp, and their equivalents, as password-p. SOCSimulator provides hands-on practice detecting this technique with realistic alerts.

What security tools are used to detect Archive Collected Data?

Archive Collected Data can be detected using XDR, SIEM platforms. XDR tools are particularly effective for this technique because they provide visibility into the collection phase of the attack chain. SOCSimulator simulates all three tool types for hands-on training.

How common is Archive Collected Data in real-world attacks?

Archive Collected Data is a well-documented MITRE ATT&CK technique in the Collection tactic. It appears in threat intelligence reports from multiple security vendors and has been observed in campaigns by various threat actor groups. SOCSimulator includes realistic Archive Collected Data scenarios based on documented attack patterns, helping analysts build detection intuition.

Can I practice detecting Archive Collected Data for free?

Yes. SOCSimulator offers free forever access to training scenarios, including Collection techniques like Archive Collected Data. You can investigate realistic alerts in guided Operations rooms, build detection skills with SIEM, XDR, and Firewall interfaces, and test yourself under pressure in Shift Mode. No credit card required.