Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0438: Detect Archiving via Custom Method (T1560.003)

DET0438 is a MITRE detection strategy placeholder for detecting Archive via Custom Method (T1560.003), where collected data may be compressed or encrypted...

EnterpriseDET0438Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0438 is a MITRE detection strategy placeholder for detecting Archive via Custom Method (T1560.003), where collected data may be compressed or encrypted with nonstandard or self-implemented methods before exfiltration. The business significance is that custom archiving can bypass simple detections that look only for known tools such as common compression utilities. Leaders should treat this as a coverage validation issue: can the SOC recognize suspicious data staging and transformation behavior when no standard archive program is present?

Executive priority

Prioritize this as a resilience and incident-readiness question rather than a single tool signature. Because the related technique sits in the collection tactic and applies to Linux, macOS, and Windows, organizations should validate whether endpoint, file, and process telemetry can support investigations into unusual data aggregation, encryption-like file changes, or staging activity across major workstation and server platforms. This matters for exfiltration response, audit evidence around monitoring coverage, and decisions about where endpoint logging or managed detection investment is needed.

Technical view

MITRE provides no official detection logic or platform list for DET0438 itself, but the strategy detects T1560.003 Archive via Custom Method. SOC and detection teams should map coverage to the related technique: custom compression or encryption of collected data before exfiltration. Validate detections that do not depend solely on known archive utilities or library calls. Useful analytic direction includes correlating suspicious file collection/staging patterns, high-volume file reads followed by creation of new opaque or renamed output files, processes performing unusual write patterns, and subsequent movement toward exfiltration-related activity where locally observable. Tune by host role, backup jobs, developer workflows, and legitimate encryption/compression processes.

Likely telemetry

  • Endpoint process creation and command-line telemetry across Linux, macOS, and Windows for the related technique platforms
  • File creation, modification, rename, and high-volume read/write activity
  • Endpoint detection telemetry describing process/file relationships and unusual data staging
  • File metadata such as path, extension changes, size, entropy-like characteristics where available
  • User, host, and process context to distinguish administrative, backup, development, or security tooling from anomalous activity

Detection direction

  • Confirm whether current detections rely too heavily on known archive utilities; custom methods may not use standard compression tools.
  • Build or validate behavior-based analytics around data staging and transformation rather than single executable names.
  • Correlate collection-scale file access with creation of new bundled, encrypted, or otherwise opaque files, especially in unusual directories or under unusual user/process context.
  • Tune expected activity for backup software, enterprise encryption tools, developer build processes, data science workflows, and administrative scripts to reduce false positives.
  • Use relationship context to scope validation to the related ATT&CK technique T1560.003 under collection, while avoiding assumptions not present in MITRE’s sparse DET0438 fields.

Mitigation priorities

  • First, ensure endpoint logging and retention are sufficient to reconstruct file collection, transformation, and process lineage on Linux, macOS, and Windows where relevant.
  • Second, restrict unnecessary access to sensitive data repositories so large-scale collection is harder before any archiving occurs.
  • Third, enforce least privilege and monitor privileged accounts that can access broad file stores.
  • Fourth, review approved encryption, compression, backup, and administrative tooling so defenders have baselines for legitimate behavior.
  • Fifth, incorporate this scenario into incident response playbooks for suspected staging before exfiltration, including evidence preservation of created files, parent processes, and user context.
Analyst notes and limits

The official detection strategy object has no description, no detection text, no tactics, and no platforms of its own. The practical interpretation comes from its stated relationship: it detects T1560.003 Archive via Custom Method, a collection technique for Linux, macOS, and Windows. Treat this Glexia take as guidance for coverage validation and detection engineering, not as a MITRE-provided analytic.

No official DET0438 detection logic, data sources, analytic examples, mitigations, or procedure examples were supplied. Local telemetry availability, host roles, approved tools, and business workflows are required to determine actual detection coverage and false-positive rates. This summary does not assert active exploitation, attribution, impact, or guaranteed detection.

Official MITRE ATT&CK definition

Detect Archiving via Custom Method (T1560.003)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1560.003 Archive via Custom Method Sub-technique This object detects Archive via Custom Method.
Relationship explorer

All related ATT&CK context

detects · Technique T1560.003: Archive via Custom Method Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1197a67e2afdc6fe...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1197a67e2afd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0438
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use