AN0832: Analytic 0832
Detects execution of archiving utilities (tar, gzip, bzip2, xz, zip, openssl) followed by suspicious archive file creation. Correlates archive creation in temporary or staging directories with execution of commands involving compression or encryption options.
Analyst context for executives and security teams
AN0832 is a Linux-focused detection analytic for spotting command-line archiving and compression activity that creates suspicious archive files, especially in temporary or staging locations. For leaders, the value is not the tool names themselves—tar, gzip, bzip2, xz, zip, and openssl are common administrative utilities—but whether the organization can distinguish normal packaging activity from possible staging of data for movement, concealment, or later action.
Executive priority
Prioritize this analytic where Linux systems host sensitive data, operational workloads, or regulated information. It helps validate whether SOC and incident response teams can see archive creation in places attackers may use for staging. The main business question is: do we have enough Linux process and file telemetry to prove when bulk compression or encryption-like archiving happens, and can we separate routine administration from suspicious staging behavior?
Technical view
Validate coverage for Linux process execution and file creation involving archiving utilities named in the ATT&CK description: tar, gzip, bzip2, xz, zip, and openssl. The analytic concept is correlation-based: command execution with compression or encryption options followed by archive file creation in temporary or staging directories. Because no official detection logic is supplied, teams should implement or review local logic against their own paths, command-line patterns, and known administrative workflows.
Likely telemetry
- Linux process execution events with command-line arguments
- File creation events for archive outputs
- Directory/path context for temporary or staging locations
- User, parent process, host, and timestamp context for correlation
- Allowlist or baseline data for legitimate backup, deployment, packaging, and log-rotation activity
Detection direction
- Confirm that Linux command-line arguments are captured for the listed utilities; process names alone are likely insufficient.
- Correlate archive creation with recent execution of compression or encryption-related commands rather than alerting only on utility execution.
- Tune for temporary and staging directories, while accounting for legitimate build, backup, software packaging, and operations workflows.
- Review false positives from system maintenance, CI/CD jobs, package creation, and administrator troubleshooting.
- Use local baselines to identify unusual users, hosts, parent processes, paths, file names, or execution timing.
Mitigation priorities
- Establish baseline ownership for legitimate Linux archiving workflows such as backups, deployments, and log handling.
- Ensure endpoint or host logging captures process command lines and file creation metadata on relevant Linux systems.
- Apply least privilege and appropriate write controls to sensitive directories and staging locations where feasible.
- Create incident triage playbooks for suspicious archive creation that include user validation, source process review, file location review, and data-sensitivity assessment.
- Use the analytic as supporting evidence for SOC readiness, IR scoping, and compliance monitoring where Linux systems process sensitive data.
Analyst notes and limits
This object is a detection analytic, not a technique. The supplied ATT&CK fields provide the analytic purpose, Linux platform scope, utility names, and correlation concept, but no tactic, relationship context, or official detection implementation. Treat it as a coverage validation prompt rather than a complete rule.
The official detection field is not provided and no relationships are supplied. The analytic does not by itself establish maliciousness because the named utilities are common on Linux. Local telemetry, baselines, directory definitions, and business context are required to make the detection operationally reliable.
Analytic 0832
Detects execution of archiving utilities (tar, gzip, bzip2, xz, zip, openssl) followed by suspicious archive file creation. Correlates archive creation in temporary or staging directories with execution of commands involving compression or encryption options.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4033f5c3aa07… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0832Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.