T1560.001: T1560.001

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 20/02/2020 22:01 · Modified 15/04/2026 13:26

Essential information

MITRE technique ID: T1560.001
Confidence: 100/100
Revoked: No
Published: 20/02/2020 22:01
Modified: 15/04/2026 13:26
Author / Source: The MITRE Corporation

Aliases

Archive via Utility

Platforms

windows macos linux

Description

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems. On Windows, `diantz` or ` makecab` may be used to package collected files into a cabinet (.cab) file. `diantz` may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) `xcopy` on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

WinZip Homepage
7zip Homepage
WinRAR Homepage
mitre-attack (T1560.001)
Wikipedia File Header Signatures
diantz.exe_lolbas

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (54)

Chimera related

The MITRE Corporation Confidence 100

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CloudComputating related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CopyKittens related

The MITRE Corporation Confidence 100

[CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Lusca related TAG-22Charcoal Typhoon

The MITRE Corporation Confidence 100

[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN13 related Elephant Beetle

The MITRE Corporation Confidence 100

[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves…

First seen 01/01/1970 · Last seen 16/11/5138 ·
GALLIUM related Granite Typhoon

The MITRE Corporation Confidence 100

[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gallmaker related

The MITRE Corporation Confidence 100

[Gallmaker](https://attack.mitre.org/groups/G0084) is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims…

First seen 01/01/1970 · Last seen 16/11/5138 ·
HAFNIUM related Operation Exchange MarauderSilk Typhoon

The MITRE Corporation Confidence 100

[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hydra Saiga related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LofyGang related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
North Korean threat actors related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OilRig related COBALT GYPSYIRN2

The MITRE Corporation Confidence 100

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

37–48 of 54

AppleSeed uses

Family The MITRE Corporation Confidence 100

[AppleSeed](https://attack.mitre.org/software/S0622) is a backdoor that has been used by [Kimsuky](https://attack.mitre.org/groups/G0094) to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021)

First seen 01/01/1970 · Last seen 16/11/5138 ·
InvisiMole uses
HazyBeacon uses

Family
PureClipper uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
POISONPLUG.SHADOW uses

Family
AMOS uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MICROBACKDOOR uses
IcedID - S0483 uses

Family
PureCrypter uses

Family
d3f@ckloader uses

Family
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FoggyWeb - S0661 uses

Family

← Previous

Page / 5

1–12 of 60

STOCKSTAY Another Day: The Latest Addition to Turla’s … related

AlienVault Confidence 100 2 CVEs 19 MITREs 8 Malwares 57 IOCs 6 Observables 1 APT
CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure related

AlienVault Confidence 100 19 MITREs 3 Malwares 6 IOCs 1 APT
PHISH ALERT: From a Simple Phishing Email to … related

AlienVault Confidence 100 20 MITREs 6 IOCs 3 Observables
Akira, LimeWire, and the Sour Taste of Data … related

AlienVault Confidence 100 1 CVE 18 MITREs 1 Malware 1 IOC 1 Observable 1 APT
Targets Education Sector with Oracle PeopleSoft Exploit related

AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
Nimbus RAT: How Threat Actors Are Abusing Microsoft … related

30 MITREs 1 Malware 3 Observables
Reloaded in a modern Remcos RAT Infection related

16 MITREs 2 Malwares 4 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Popular node-ipc npm Package Infected with Credential Stealer related

AlienVault Confidence 100 20 MITREs 1 Malware 10 IOCs 10 Observables
macOS Stealer Spoofs Apple, Google, and Microsoft in … related

AlienVault Confidence 100 19 MITREs 4 Malwares 8 IOCs 8 Observables
Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government … related

5 CVEs 19 MITREs 7 Malwares 44 Observables 1 APT
LofyStealer: Malware targeting Minecraft players. related

AlienVault Confidence 100 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT

← Previous

Page / 3

1–12 of 34

Vulnerabilities (CVE) (17)

CVE-2021-26858 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2021-26855 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-27065 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2022-41082 KEV targets

8.0 High

Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …

Attack vector: Adjacent
Published: 30/09/2022
Modified: 20/12/2025

CVE-2024-40766 KEV targets

9.8 Critical

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …

Attack vector: Network
Published: 09/09/2024
Modified: 21/12/2025

Analyzed

CVE-2026-35273 KEV targets

9.8 Critical

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and …

Attack vector: NETWORK
Complexity: LOW
Published: 11/06/2026
Modified: 12/06/2026

CWE-306 Analyzed

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2022-41040 KEV targets

8.8 High

Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Attack vector: Network
Published: 30/09/2022
Modified: 20/12/2025

CVE-2025-26399 KEV targets

9.8 Critical

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would …

Attack vector: Network
Published: 23/09/2025
Modified: 12/03/2026

Awaiting Analysis

CVE-2021-26857 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2026-20245 KEV targets

7.8 High

A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary …

Attack vector: LOCAL
Complexity: LOW
Published: 05/06/2026
Modified: 25/06/2026

CWE-116 Awaiting Analysis

CVE-2024-57727 KEV targets

7.5 High

SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary …

Attack vector: Network
Published: 13/02/2025
Modified: 21/12/2025

Modified

← Previous

Page / 2

1–12 of 17

T1560 subtechnique-of

Archive Collected Data MITRE

Tool (3)

Rclone uses

The MITRE Corporation Confidence 100

[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a…
PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
certutil uses

The MITRE Corporation Confidence 100

[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)

Campaign (6)

FunnyDream uses
Operation Honeybee uses
Operation Dream Job uses
C0026 uses
Operation CuckooBees uses
APT28 Nearest Neighbor Campaign uses

Course Of Action (1)

Audit mitigates

Contact About Legal notice Privacy policy Terms of use