MITRE ATT&CK Technique
Collection
T1560.002
Description
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data. Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.
Supported Platforms
Linux
macOS
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-20T21:08:52.529Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'An adversary may compress or encrypt data that is collected '
'prior to exfiltration using 3rd party libraries. Many '
'libraries exist that can archive data, including '
'[Python](https://attack.mitre.org/techniques/T1059/006) '
'rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and '
'zlib (Citation: Zlib Github). Most libraries include '
'functionality to encrypt and/or compress data.\n'
'\n'
'Some archival libraries are preinstalled on systems, such as '
'bzip2 on macOS and Linux, and zip on Windows. Note that the '
'libraries are different from the utilities. The libraries can '
'be linked against when compiling, while the utilities require '
'spawning a subshell, or a similar execution mechanism.',
'external_references': [{'external_id': 'T1560.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1560/002'},
{'description': 'D. Baron, T. Klausner. (2020). '
'libzip. Retrieved February 20, 2020.',
'source_name': 'libzip',
'url': 'https://libzip.org/'},
{'description': 'madler. (2017). zlib. Retrieved '
'February 20, 2020.',
'source_name': 'Zlib Github',
'url': 'https://github.com/madler/zlib'},
{'description': 'mkz. (2020). rarfile 3.1. Retrieved '
'February 20, 2020.',
'source_name': 'PyPI RAR',
'url': 'https://pypi.org/project/rarfile/'},
{'description': 'Wikipedia. (2016, March 31). List of '
'file signatures. Retrieved April 22, '
'2016.',
'source_name': 'Wikipedia File Header Signatures',
'url': 'https://en.wikipedia.org/wiki/List_of_file_signatures'}],
'id': 'attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'collection'}],
'modified': '2025-10-24T17:48:42.345Z',
'name': 'Archive via Library',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.0'}