DET0298: Detect Archiving via Utility (T1560.001)
DET0298 is a detection strategy for identifying when adversaries use archive utilities to compress, encrypt, or package collected data before exfiltration....
Analyst context for executives and security teams
DET0298 is a detection strategy for identifying when adversaries use archive utilities to compress, encrypt, or package collected data before exfiltration. This matters because archiving can be the transition point between internal collection and outbound data loss, but the same utilities are also common in legitimate administration and user workflows.
Executive priority
Treat this as a data-loss and incident-readiness control question: can the organization see suspicious archive creation on Linux, macOS, and Windows well enough to support rapid investigation before exfiltration is confirmed? Leaders should ask whether endpoint telemetry, SOC triage procedures, and data-handling evidence can distinguish routine compression from unusual packaging of sensitive or large data sets.
Technical view
This strategy detects ATT&CK technique T1560.001, Archive via Utility, under the Collection tactic. Since the official detection-strategy object provides no detection text or platform list, teams should derive validation from the related technique: monitor use of archive/compression/encryption utilities on Linux, macOS, and Windows, especially when tied to recently collected files, unusual directories, staging paths, or activity preceding outbound transfer. Detection engineering should account for legitimate use of tools such as tar, zip, diantz, and other archive utilities noted in the related technique context.
Likely telemetry
- Endpoint process creation telemetry including command line arguments
- File creation and modification events for archive outputs
- Parent-child process relationships around archive utility execution
- User, host, and working-directory context for archive creation
- File path and volume indicators showing bulk packaging or staging behavior
Detection direction
- Validate visibility into archive utility execution across Linux, macOS, and Windows environments supported by the related technique.
- Tune detections around context rather than utility name alone, because archive tools are commonly used for legitimate business and administrative purposes.
- Prioritize suspicious combinations: archive creation after collection activity, use against sensitive directories, large or numerous inputs, encryption/password options where observable, or staging in unusual locations.
- Review false positives from software deployment, backups, developer workflows, log collection, and helpdesk activity.
- Correlate archive creation with subsequent outbound transfer indicators when available, without assuming exfiltration from archiving alone.
Mitigation priorities
- Inventory where archive utilities are expected and where their use is unusual or unnecessary.
- Ensure endpoint logging captures process, command-line, user, and file-creation context for archive activity.
- Apply least-privilege and data access controls so users and processes cannot easily collect and package sensitive data they do not need.
- Define SOC playbooks for triaging suspicious archive creation, including ownership, business justification, file location, and follow-on transfer review.
- Use the resulting evidence to support incident response readiness, data protection assurance, and audit conversations about monitoring of collection-to-exfiltration precursors.
Analyst notes and limits
The supplied ATT&CK detection-strategy object has no official description or detection guidance. The practical interpretation is based on its relationship to T1560.001, Archive via Utility, and the related technique description, tactics, and platforms provided in the prompt.
This take does not assert active exploitation, actor attribution, guaranteed detection, or complete platform coverage beyond the related technique context. Local baselines, tool inventories, endpoint logging quality, and business workflows are required to decide what is suspicious in a specific environment.
Detect Archiving via Utility (T1560.001)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1560.001 | Archive via Utility Sub-technique | This object detects Archive via Utility. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7f507e01fdbc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0298Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.