Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0748: Analytic 0748

Detects adversarial archiving by scripts or binaries calling compression libraries (libzip, zlib, bzip2). Correlates execution of Python, Perl, or compiled binaries with dynamic linking to archiving libraries and creation of compressed files in /tmp or user directories.

EnterpriseAN0748AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting possible adversarial archiving on Linux when scripts or binaries use common compression libraries and create compressed files in temporary or user-writable locations. For leaders, the value is not just finding “zip files”; it is validating whether the organization can see potential data staging behavior before exfiltration or lateral movement evidence is lost in normal system noise.

Executive priority

Prioritize this as a data-protection and incident-readiness coverage question for Linux environments. Security leaders should ask whether SOC teams can distinguish routine compression activity from suspicious staging in /tmp and user directories, and whether telemetry exists to support investigations involving possible collection or packaging of files. This can support resilience, audit evidence, and incident decision-making, but the supplied ATT&CK object does not specify a tactic, relationship context, or guaranteed detection outcome.

Technical view

For SOC and detection engineering teams, validate whether Linux telemetry can correlate three evidence points: execution of Python, Perl, or compiled binaries; dynamic linking or loading of compression libraries such as libzip, zlib, or bzip2; and creation of compressed files in /tmp or user directories. Because no official detection logic is provided, teams should treat AN0748 as a detection design pattern and tune it against local baselines for backup jobs, package managers, developer workflows, CI/CD activity, and administrative scripts.

Likely telemetry

  • Linux process execution telemetry for Python, Perl, and compiled binaries
  • Dynamic library load or linking telemetry involving libzip, zlib, and bzip2
  • File creation telemetry for compressed archives in /tmp and user directories
  • User, parent process, command-line, working directory, and timestamp context for correlation
  • Host inventory or workload context to separate servers, developer systems, and automation hosts

Detection direction

  • Confirm that telemetry exists for both process execution and compressed file creation on Linux; file-only detections may produce excessive noise.
  • Validate whether dynamic library usage can be observed in the deployed sensor stack; this is a likely blind spot if only basic process logs are collected.
  • Baseline legitimate compression activity from backups, log rotation, build systems, package operations, and user workflows before alerting broadly.
  • Prioritize correlations where scripting languages or unusual compiled binaries create archives in /tmp or user directories outside expected maintenance windows or service accounts.
  • Use the analytic as a triage signal, not proof of malicious behavior, because the object provides no tactic mapping, relationships, or detection logic.

Mitigation priorities

  • Reduce unnecessary write access and execution opportunities in temporary and user-writable locations where operationally feasible.
  • Harden Linux monitoring coverage for process, library, and file events needed to investigate archive creation.
  • Review administrative and automation use of compression so legitimate activity is documented and easier to suppress or explain.
  • Ensure incident response playbooks include collection of archive metadata, originating process details, user context, and surrounding file access activity.
  • Use data-handling and access-control reviews to limit the amount of sensitive material that can be staged by any single user or process.
Analyst notes and limits

AN0748 is a detection analytic, not a technique object. The available description is specific to Linux and to compression-library-assisted archiving by scripts or binaries. There are no supplied relationships, aliases, labels, tactic mappings, or official detection logic, so this take focuses on validation questions and telemetry requirements rather than asserting specific adversary behavior.

The supplied ATT&CK fields do not identify associated techniques, tactics, groups, software, procedures, or active exploitation. They also do not provide a concrete detection query. Local environment baselines are required to determine fidelity, expected false positives, and operational relevance.

Official MITRE ATT&CK definition

Analytic 0748

Detects adversarial archiving by scripts or binaries calling compression libraries (libzip, zlib, bzip2). Correlates execution of Python, Perl, or compiled binaries with dynamic linking to archiving libraries and creation of compressed files in /tmp or user directories.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
82257060b0c14300...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 82257060b0c1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0748
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use