Esc
Archive via Custom Method - T1560.003
(ATT&CK® Technique)
Definition
An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1560003["Archive via Custom Method"] --> |creates| CustomArchiveFile["Custom Archive File"]; class T1560003 OffensiveTechniqueNode;
class CustomArchiveFile ArtifactNode; click CustomArchiveFile href "/dao/artifact/d3f:CustomArchiveFile";
click T1560003 href "/offensive-technique/attack/T1560.003/"; click CustomArchiveFile href "/dao/artifact/d3f:CustomArchiveFile"; T1560003["Archive via Custom Method"] --> |creates| ArchiveFile["Archive File"]; class T1560003 OffensiveTechniqueNode;
class ArchiveFile ArtifactNode; click ArchiveFile href "/dao/artifact/d3f:ArchiveFile";
click T1560003 href "/offensive-technique/attack/T1560.003/"; click ArchiveFile href "/dao/artifact/d3f:ArchiveFile"; DecoyFile["Decoy File"] -->
| spoofs | CustomArchiveFile["Custom Archive File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1560003["Archive via Custom Method"] ;
class DecoyFile DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | CustomArchiveFile["Custom Archive File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1560003["Archive via Custom Method"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DecoyFile["Decoy File"] -->
| spoofs | ArchiveFile["Archive File"];
class DecoyFile DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ArchiveFile["Archive File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEncryption["File Encryption"] -->
| encrypts | CustomArchiveFile["Custom Archive File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1560003["Archive via Custom Method"] ;
class FileEncryption DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | CustomArchiveFile["Custom Archive File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1560003["Archive via Custom Method"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] -->
| encrypts | ArchiveFile["Archive File"];
class FileEncryption DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ArchiveFile["Archive File"];
class LocalFilePermissions DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | CustomArchiveFile["Custom Archive File"];
RestoreFile["Restore File"] -.->
| may-restore | T1560003["Archive via Custom Method"] ;
class RestoreFile DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | CustomArchiveFile["Custom Archive File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1560003["Archive via Custom Method"] ;
class FileAnalysis DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RestoreFile["Restore File"] -->
| restores | ArchiveFile["Archive File"];
class RestoreFile DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | ArchiveFile["Archive File"];
class FileAnalysis DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileEviction["File Eviction"] -->
| deletes | CustomArchiveFile["Custom Archive File"];
FileEviction["File Eviction"] -.->
| may-evict | T1560003["Archive via Custom Method"] ;
class FileEviction DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | ArchiveFile["Archive File"];
class FileEviction DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | CustomArchiveFile["Custom Archive File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1560003["Archive via Custom Method"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class CustomArchiveFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ArchiveFile["Archive File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ArchiveFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";