Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Collection/ T1560.001

T1560.001Archive via Utility

T1560.001 — Archive via Utility is a MITRE ATT&CK technique in the Collection tactic. Clankerusecase tracks 14 detection use cases covering it and 8 threat-intel articles citing it.

Collection
View on the matrix → Filter Detection Library MITRE official spec ↗
14Use cases
8Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1560 · Archive Collected Data

Use cases covering this technique (14)

7zip CommandLine To SMB Share Path ESCU actions · hunting P Anomalous usage of 7zip ESCU actions · hunting P Detect Renamed 7-Zip ESCU actions · hunting P Detect Renamed WinRAR ESCU actions · hunting P IcedID Exfiltrated Archived File Creation ESCU actions · hunting P Windows Archive Collected Data via Rar ESCU actions · hunting P [LLM] PeopleSoft lateral-movement script — *_fanout.sh execution and zstd compression chain Bespoke actions · hunting DSΣPDDCS [LLM] ZIP archive named with public-IPv4 pattern created in user-writable directory (Gremlin Stealer) Bespoke actions · hunting DSΣPDDCS [LLM] node.js process staging credential dump in nt-* temp directory Bespoke actions · hunting DSΣPDDCS [LLM] Stage-3 exfil archive trin.tar.gz POST via curl --data-binary Bespoke actions · alerting DSΣPDDCS [LLM] Credential archive staging — trin.tar.gz created by python process Bespoke actions · alerting DSΣPDDCS [LLM] TeamPCP exfiltration archive tpcp.tar.gz created on disk Bespoke actions · alerting DSΣPDDCS [LLM] TeamPCP exfiltration archive — tpcp.tar.gz file creation on host Bespoke actions · alerting DSΣPDD [LLM] Exfil staging artefacts: session.key, payload.enc, session.key.enc, tpcp.tar.gz in temp Bespoke actions · alerting DSΣPDDCS

Articles citing this technique (8)

crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37
high Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files art-281
crit Malicious node-ipc versions published to npm in suspected maintainer account compromise art-284
high elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection art-334
high Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers art-352
crit TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package art-413
high Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags art-428
crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443