Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0281: Detection Strategy for Compressed Payload Creation and Execution

DET0281 is a detection strategy for identifying when compressed payloads are created and executed, tied to ATT&CK technique T1027.015 Compression. The prac...

EnterpriseDET0281Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0281 is a detection strategy for identifying when compressed payloads are created and executed, tied to ATT&CK technique T1027.015 Compression. The practical risk is that compression can help adversaries hide payloads or files and make transfer easier, reducing the value of controls that only inspect obvious script, binary, or file names. For leaders, this is a coverage validation topic: can the organization see suspicious archive creation, unpacking, and execution paths across Linux, macOS, and Windows where the related technique applies?

Executive priority

Prioritize this as a SOC and incident-response readiness question rather than a standalone tool purchase. Ask whether security teams can produce audit-ready evidence showing visibility into compressed files and payload execution, especially where compressed content could affect malware triage, endpoint containment, cloud workload investigations, or regulated system evidence preservation. Because the ATT&CK detection strategy has no official detection text or platform field, local validation is required before claiming coverage.

Technical view

The supplied relationship says this strategy detects T1027.015 Compression, a stealth-related enterprise technique on Linux, macOS, and Windows. Detection engineering should validate visibility for archive creation, extraction, file writes, process execution from recently extracted paths, and cases where compressed content is stored or unpacked in unusual locations. IR teams should ensure investigations can connect archive artifacts to subsequent execution events rather than treating archive activity as benign file handling by default.

Likely telemetry

  • Endpoint process creation and command-line telemetry
  • File creation, modification, extraction, and archive metadata
  • Parent-child process relationships around compression and execution utilities
  • Endpoint detection events for newly written or unpacked executables/scripts
  • Registry or fileless-storage related evidence where compressed content may be stored, if available

Detection direction

  • Validate correlations between compressed file creation/extraction and later execution, not just the presence of archive utilities.
  • Tune for context: compression is common in administration, development, backup, and software deployment workflows, so baselines and allowlists should be environment-specific.
  • Look for blind spots where archives are created or unpacked in temporary, user-writable, application cache, or service-account locations before execution.
  • Confirm whether telemetry captures archive-related command lines and file paths on Linux, macOS, and Windows, because the detection strategy itself does not specify platforms.
  • Use the relationship to T1027.015 as the analytic anchor; do not infer broader obfuscation coverage without separate validation.

Mitigation priorities

  • Establish asset and workflow baselines for legitimate compression and extraction activity.
  • Ensure endpoint logging captures process, command-line, and file activity needed to link archive creation or extraction to execution.
  • Harden execution from user-writable and temporary locations where operationally feasible.
  • Include compressed payload handling in IR playbooks, malware triage procedures, and evidence collection requirements.
  • Use detection test results as compliance and SOC readiness evidence, but document limitations because ATT&CK provides no official detection logic for this object.
Analyst notes and limits

This take is based on DET0281 and its relationship to T1027.015 Compression. ATT&CK provides the strategy name, external reference, and relationship context, but no official description, detection text, tactics, or platform list for the strategy itself. The related technique supplies the key context: compression can obfuscate payloads or files and supports stealth on Linux, macOS, and Windows.

Coverage cannot be assumed from this object alone. Local telemetry availability, endpoint logging depth, archive formats in use, operating-system coverage, and normal administrative workflows determine whether detection is practical and how noisy it will be.

Official MITRE ATT&CK definition

Detection Strategy for Compressed Payload Creation and Execution

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1027.015 Compression Sub-technique This object detects Compression.
Relationship explorer

All related ATT&CK context

detects · Technique T1027.015: Compression Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1625f7f71f408ba0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1625f7f71f40…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0281
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use