AN0747: Analytic 0747
Detects adversarial archiving using libraries (zlib, zip APIs) invoked by scripts or binaries. Correlates process executions of Python, PowerShell, or custom .NET binaries with DLL/module loads linked to compression libraries, followed by archive file creation.
Analyst context for executives and security teams
This analytic is useful because archive creation is often a key step before data is moved, staged, or handled by an intruder. The decision value is not simply “did a ZIP file appear,” but whether Windows hosts can show that scripting engines or custom binaries loaded compression libraries and then created archives. That evidence helps leaders assess whether SOC and IR teams can distinguish routine business archiving from suspicious staging behavior.
Executive priority
Prioritize this as a validation item for Windows endpoint visibility and incident readiness. If the organization cannot correlate process execution, module or DLL loads, and archive file creation, responders may struggle to reconstruct suspicious data-staging activity or provide audit-quality evidence during an investigation. This should inform logging budget, EDR configuration review, and SOC use-case coverage rather than be treated as a standalone control.
Technical view
For Windows, validate whether telemetry can correlate Python, PowerShell, or custom .NET binary execution with loading of compression-related libraries such as zlib or ZIP APIs, followed by archive file creation. Because the ATT&CK object provides no tactic assignment and no official detection logic, teams should treat AN0747 as an analytic pattern to operationalize and tune locally, not as a complete detection rule.
Likely telemetry
- Windows process execution events for Python, PowerShell, and custom .NET binaries
- Module or DLL load telemetry showing compression-library usage
- File creation telemetry for archive files
- Process-to-file and process-to-module correlation data from EDR or endpoint logging
- Command-line and parent-child process context where collected
Detection direction
- Confirm the SOC can join process execution, module load, and archive file creation events within a useful time window on Windows endpoints.
- Tune for legitimate administrative, developer, backup, software packaging, and automation activity that may also use compression libraries.
- Prioritize unusual combinations: scripting engines or uncommon binaries loading compression libraries and creating archives in unexpected paths or user contexts.
- Do not rely only on archive file extensions; validate the preceding process and library-loading context described by the analytic.
- Because no relationship context or official detection text is supplied, avoid mapping this analytic to a specific ATT&CK tactic or threat actor without additional evidence.
Mitigation priorities
- Ensure endpoint logging or EDR policy captures process execution, module/DLL loads, and file creation events needed for this analytic.
- Establish baselines for approved archive creation by scripts, administrative tools, developer workflows, and business applications.
- Review controls around scripting environments and custom binaries on Windows systems, especially where archive creation is not expected.
- Document evidence collection and retention requirements so incident responders can reconstruct archive creation timelines during investigations.
Analyst notes and limits
AN0747 describes a detection analytic for adversarial archiving behavior using compression libraries invoked by scripts or binaries on Windows. Its strongest operational value is as a coverage test for endpoint telemetry correlation. The object does not include ATT&CK tactics, relationship context, aliases, labels, or official detection implementation details.
This take is limited to the supplied ATT&CK fields. No claims are made about active exploitation, attribution, impact, or guaranteed detection. Local baselines, EDR capabilities, logging configuration, and business use of archiving tools are required to determine alert quality and coverage.
Analytic 0747
Detects adversarial archiving using libraries (zlib, zip APIs) invoked by scripts or binaries. Correlates process executions of Python, PowerShell, or custom .NET binaries with DLL/module loads linked to compression libraries, followed by archive file creation.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0f400854045c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0747Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.