Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0782: Analytic 0782

Monitors for compression tool usage (e.g., 7zip, WinRAR, MakeCab) that follows or precedes file modification, suspicious file types (e.g., .exe, .dll) being compressed, or dropped from self-extracting archives followed by immediate execution.

EnterpriseAN0782AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting suspicious archive activity on Windows: compression tools such as 7zip, WinRAR, or MakeCab being used around file modification, executable content being compressed, or files dropped from self-extracting archives and run immediately. For leaders, the value is not the archive tool itself—these tools are common—but whether the organization can distinguish normal packaging activity from behavior that may support staging, delivery, or execution of suspicious files.

Executive priority

Prioritize this as a coverage-validation item for Windows monitoring and incident readiness. Archive utilities are widely used in legitimate business workflows, so the business decision is whether SOC teams have enough endpoint and file telemetry to separate normal administrator, developer, installer, and helpdesk activity from higher-risk patterns involving executable files and immediate execution after extraction. This can support audit and incident-response evidence by showing whether the organization can reconstruct file creation, modification, compression, extraction, and process execution sequences.

Technical view

Validate monitoring for Windows process execution and file activity involving compression utilities and self-extracting archives. The analytic described by MITRE depends on sequence and context: compression tool usage before or after file modification, compression of suspicious file types such as .exe or .dll, and extracted files followed by immediate execution. Because no official detection logic is supplied, teams should define local baselines for legitimate archive usage and test whether telemetry can correlate parent/child processes, command-line arguments where available, file paths, file extensions, timestamps, and subsequent execution events.

Likely telemetry

  • Windows process creation events for archive utilities such as 7zip, WinRAR, and MakeCab
  • Command-line or process metadata for compression and extraction activity, where collected
  • File creation and file modification telemetry around archive inputs and outputs
  • File extension and path metadata for executable content such as .exe and .dll
  • Parent/child process relationships for self-extracting archives and immediately executed dropped files

Detection direction

  • Confirm the SOC can correlate file modification, compression, extraction, and execution events on Windows within a useful time window.
  • Tune detections to focus on suspicious sequencing and file types rather than alerting on all archive-tool usage.
  • Baseline legitimate use by administrators, software packaging teams, installers, developers, and helpdesk workflows to reduce false positives.
  • Look for immediate execution of files dropped from self-extracting archives, especially when the dropped file is an executable or library type referenced by the analytic description.
  • Document blind spots where command-line logging, file telemetry, or parent/child process tracking is incomplete, because those gaps directly affect this analytic.

Mitigation priorities

  • Ensure endpoint logging is configured to capture process execution and relevant file activity on Windows systems.
  • Review whether archive utilities are expected in sensitive environments and whether usage can be governed through standard software management controls.
  • Apply least-privilege and application-control principles where appropriate so unexpected execution from extracted content is harder to achieve.
  • Maintain incident-response playbooks that preserve archive files, extracted contents, process trees, and file timeline evidence.
  • Use baselining before enforcement or high-severity alerting, since compression tools have many legitimate operational uses.
Analyst notes and limits

This object is a detection analytic, not a technique or campaign. The supplied ATT&CK fields identify Windows as the platform and describe behavioral patterns involving compression tools, suspicious file types, and self-extracting archives. No tactics, relationships, aliases, labels, or official detection logic were supplied, so the take is framed as validation guidance rather than a claim of ATT&CK-mapped coverage.

The source data is sparse: there is no official detection query, no related techniques or groups, and no tactic context. Local environment evidence is required to determine normal archive-tool usage, useful time windows, event-source availability, alert severity, and false-positive handling.

Official MITRE ATT&CK definition

Analytic 0782

Monitors for compression tool usage (e.g., 7zip, WinRAR, MakeCab) that follows or precedes file modification, suspicious file types (e.g., .exe, .dll) being compressed, or dropped from self-extracting archives followed by immediate execution.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cea97aac78605bc1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cea97aac7860…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0782
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use