Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0831: Analytic 0831

Detects adversarial archiving using built-in or third-party utilities (makecab, diantz, xcopy, certutil, 7z, WinRAR, WinZip). Correlates suspicious process creation events with command-line arguments for compression/encoding, followed by creation of archive files (.cab, .zip, .7z, .rar). Identifies anomalous loading of crypt32.dll for encryption operations or execution of diantz.exe to compress remotely staged files.

EnterpriseAN0831AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0831 is a Windows detection analytic for spotting suspicious archiving activity before or during data staging. Its business value is that archive creation is often where scattered files become portable, compressible, or encryptable, making it a useful control point for SOC and incident response teams investigating possible data collection or preparation for exfiltration. The analytic is not proof of malicious activity by itself because many archive tools are legitimate, but it helps leaders ask whether the organization can see high-risk compression and encoding behavior across endpoints.

Executive priority

Prioritize this as a visibility and response-readiness check for Windows environments. Security leaders should confirm whether endpoint logging captures process creation, command-line arguments, DLL loading, and archive file creation well enough to support investigations. The main decision value is distinguishing normal administrative or user archiving from suspicious creation of .cab, .zip, .7z, or .rar files using built-in or third-party utilities. This can support incident triage, data protection investigations, compliance evidence around monitoring, and budget decisions for endpoint telemetry coverage.

Technical view

For SOC and detection engineering teams, validate coverage for suspicious Windows process creation involving makecab, diantz, xcopy, certutil, 7z, WinRAR, and WinZip, especially when command-line arguments indicate compression or encoding and are followed by creation of archive files such as .cab, .zip, .7z, or .rar. The analytic also calls out anomalous loading of crypt32.dll for encryption operations and execution of diantz.exe to compress remotely staged files. Because no ATT&CK tactic or relationship context is supplied, this should be treated as a behavior-focused analytic rather than mapped to a specific campaign or technique chain from the provided object alone.

Likely telemetry

  • Windows process creation events
  • Command-line argument logging
  • File creation events for archive extensions such as .cab, .zip, .7z, and .rar
  • Image/module load telemetry, especially crypt32.dll where available
  • Execution telemetry for built-in and third-party archive-related utilities including makecab, diantz, xcopy, certutil, 7z, WinRAR, and WinZip

Detection direction

  • Correlate archive-related process execution with command-line indicators of compression or encoding and subsequent archive file creation.
  • Baseline expected archive utility usage by administrators, software deployment tools, backup workflows, and normal user activity to reduce false positives.
  • Pay special attention to uncommon use of built-in Windows utilities for archiving or encoding where the environment normally relies on standard user-facing compression tools.
  • Validate whether endpoint tooling captures full command lines and file creation events; without both, the analytic may lose important context.
  • If module load telemetry is collected, review anomalous crypt32.dll loading in the context of archive or encryption-related activity rather than treating DLL loading alone as conclusive.

Mitigation priorities

  • First, ensure Windows endpoint telemetry is complete enough to support process, command-line, file creation, and relevant module-load analysis.
  • Next, define normal business use cases for archive utilities and document approved administrative, backup, and software packaging workflows.
  • Tune detections around suspicious combinations of utility, arguments, file extension, parent process, user context, and destination path rather than alerting on archive creation alone.
  • Prepare incident response playbooks to preserve the archive file, source file paths, process tree, user context, and nearby activity when this analytic fires.
  • Use the resulting evidence to support broader data protection, monitoring, and compliance readiness discussions, while avoiding assumptions of exfiltration without additional evidence.
Analyst notes and limits

This object is a detection analytic, not a full ATT&CK technique entry. The supplied fields support Windows-focused detection of adversarial archiving behavior using named built-in and third-party utilities, archive file creation, and crypt32.dll or diantz.exe context. There are no supplied relationships, aliases, labels, or tactics, so any campaign, actor, impact, or technique-chain interpretation would require additional evidence outside this object.

Official detection content is not provided, and no relationship context is supplied. The analytic identifies suspicious conditions but does not establish malicious intent by itself. Local baselines, endpoint logging configuration, and business-approved archiving workflows are required to judge fidelity and operational risk.

Official MITRE ATT&CK definition

Analytic 0831

Detects adversarial archiving using built-in or third-party utilities (makecab, diantz, xcopy, certutil, 7z, WinRAR, WinZip). Correlates suspicious process creation events with command-line arguments for compression/encoding, followed by creation of archive files (.cab, .zip, .7z, .rar). Identifies anomalous loading of crypt32.dll for encryption operations or execution of diantz.exe to compress remotely staged files.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8e5dac7882d1a125...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8e5dac7882d1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0831
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use