Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1458: Analytic 1458

Detects adversarial archiving of files prior to exfiltration by correlating execution of compression/encryption utilities (e.g., makecab.exe, rar.exe, 7z.exe, powershell Compress-Archive) with subsequent creation of large compressed or encrypted files. Identifies abnormal process lineage involving crypt32.dll usage, command-line arguments invoking compression switches, and file write operations to temporary or staging directories.

EnterpriseAN1458AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because file archiving is often a preparation step before data leaves the environment. On Windows, it focuses on spotting compression or encryption utilities being used to create unusually large archive-like files in temporary or staging locations. For leaders, the value is not just “detect 7z or PowerShell”; it is confirming whether the organization can see data staging activity early enough to support incident response before potential exfiltration.

Executive priority

Prioritize this as a data-loss readiness control for Windows environments. Ask whether SOC and IR teams can prove they collect process execution, command-line, file-write, and size/location evidence needed to identify suspicious archive creation. This is useful for operational resilience, investigation speed, and compliance evidence around monitoring of sensitive data handling, but it should not be treated as proof of exfiltration by itself.

Technical view

Validate correlation on Windows between execution of compression/encryption utilities such as makecab.exe, rar.exe, 7z.exe, and PowerShell Compress-Archive, followed by creation of large compressed or encrypted files. Focus on command-line compression switches, process lineage, crypt32.dll usage where visible, and writes to temporary or staging directories. Because no official ATT&CK detection logic is supplied, teams should implement and test local thresholds for file size, archive extensions, parent processes, and expected administrative packaging activity.

Likely telemetry

  • Windows process creation telemetry with executable path, parent process, and command line
  • PowerShell execution telemetry showing Compress-Archive usage where collected
  • File creation and file write telemetry including path, extension, size, and timestamp
  • Module or library load telemetry capable of showing crypt32.dll usage where available
  • EDR or endpoint telemetry linking process lineage to subsequent archive file creation

Detection direction

  • Correlate archive/compression utility execution with large compressed or encrypted file creation shortly afterward.
  • Tune for abnormal parent-child process lineage rather than utility name alone, because legitimate administrators and software tools may use compression.
  • Baseline expected archive creation by backup, deployment, packaging, and helpdesk workflows to reduce false positives.
  • Pay attention to temporary or staging directories, especially when archive creation is not part of a known business process.
  • Validate whether telemetry captures command-line arguments and file size; without both, this analytic may have weak fidelity.

Mitigation priorities

  • First ensure endpoint logging and retention can support the required process, command-line, file-write, and file-size correlation.
  • Define approved administrative and software-deployment use cases for compression utilities and document expected paths and parent processes.
  • Apply least-privilege and access controls so users and processes cannot unnecessarily collect or stage large amounts of sensitive data.
  • Use detection results to trigger IR triage of the creating account, host, source directories, archive contents where authorized, and any subsequent outbound activity.
  • Pair this analytic with data protection and egress monitoring controls; archive creation detection alone does not prevent data loss.
Analyst notes and limits

The supplied object is a detection analytic for Windows only. It provides a strong descriptive detection concept but no official detection block, no tactic field, and no relationship context. The description supports focusing on adversarial archiving prior to exfiltration, compression/encryption utilities, crypt32.dll usage, command-line compression switches, and large file writes to temporary or staging directories.

This take is limited to the official STIX fields and external reference provided. It does not establish active exploitation, attribution, prevalence, guaranteed coverage, or impact. Local baselines, telemetry quality, retention, and business-approved archive workflows are required to determine practical effectiveness.

Official MITRE ATT&CK definition

Analytic 1458

Detects adversarial archiving of files prior to exfiltration by correlating execution of compression/encryption utilities (e.g., makecab.exe, rar.exe, 7z.exe, powershell Compress-Archive) with subsequent creation of large compressed or encrypted files. Identifies abnormal process lineage involving crypt32.dll usage, command-line arguments invoking compression switches, and file write operations to temporary or staging directories.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e1d97beb6693531c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e1d97beb6693…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1458
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use