Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0526: Detect Archiving and Encryption of Collected Data (T1560)

DET0526 is a detection strategy for behavior where an adversary compresses and/or encrypts data after collection and before exfiltration, as described by t...

EnterpriseDET0526Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0526 is a detection strategy for behavior where an adversary compresses and/or encrypts data after collection and before exfiltration, as described by the related ATT&CK technique T1560 Archive Collected Data. For leaders, the practical issue is not the archive file itself; it is that staging data in compressed or encrypted form can reduce network volume and make outbound inspection less useful, which can delay incident recognition and increase data-loss risk.

Executive priority

Treat this as a control-validation priority for data-loss and incident-response readiness. Security leaders should ask whether SOC teams can see unusual archive or encryption activity on Linux, macOS, and Windows endpoints where the related technique applies, whether that visibility is correlated with collection and exfiltration signals, and whether audit evidence exists showing that endpoint, file, and network telemetry are retained long enough to support investigations.

Technical view

The supplied detection-strategy object has no official detection text, platforms, or tactics of its own, but it detects T1560, which is an enterprise collection technique on Linux, macOS, and Windows. SOC and detection engineering teams should validate coverage around suspicious creation, modification, or staging of compressed/encrypted files, especially when temporally associated with prior collection activity or later outbound transfer. Because archiving and encryption are also common administrative and user behaviors, detections should emphasize unusual context, volume, location, process lineage, account, timing, and proximity to other collection/exfiltration indicators rather than file extension alone.

Likely telemetry

  • Endpoint process execution telemetry for archive, compression, or encryption utilities where available
  • File creation, rename, modification, and size-change events for newly staged archives or encrypted containers
  • Command-line and parent/child process context, where collected
  • User, host, and working-directory context for archive/encryption activity
  • Network telemetry that can show subsequent outbound transfer patterns after local staging

Detection direction

  • Validate whether detections correlate archive/encryption activity with collection-stage behavior and possible exfiltration rather than alerting only on common utilities.
  • Tune for environmental baselines: backups, software packaging, log rotation, developer builds, and administrative compression can create high false-positive volume.
  • Prioritize suspicious staging locations, abnormal file sizes or counts, unusual execution times, unexpected accounts, and process ancestry inconsistent with normal business workflows.
  • Confirm visibility across the operating systems supported by the related technique: Linux, macOS, and Windows. Do not assume the DET0526 object itself defines platform coverage because its platform field is not specified.
  • Review retention and searchability of endpoint and file telemetry so incident responders can reconstruct whether data was staged before outbound movement.

Mitigation priorities

  • Establish baseline visibility first: endpoint process, file, user, and network evidence must be available before this behavior can be assessed reliably.
  • Harden access to sensitive data repositories so collection volume is reduced before archiving becomes relevant.
  • Apply least privilege and monitored administrative access for accounts that can read, stage, compress, or encrypt large data sets.
  • Use data-handling controls, DLP, and egress monitoring where appropriate to increase the chance of detecting staged data before or during exfiltration.
  • Document expected business archiving workflows so SOC teams can distinguish authorized compression/encryption from suspicious staging during investigations.
Analyst notes and limits

This take is based on the DET0526 detection-strategy object and its relationship to T1560 Archive Collected Data. The relationship provides the key context: compression and/or encryption of collected data prior to exfiltration, associated with the collection tactic and Linux, macOS, and Windows platforms for the related technique.

The DET0526 object includes no official description, no official detection logic, no tactics, and no platforms. Recommendations therefore remain validation-oriented and must be adapted to local telemetry, normal administrative workflows, data locations, and retention capabilities. No active exploitation, attribution, impact, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Detect Archiving and Encryption of Collected Data (T1560)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1560 Archive Collected Data This object detects Archive Collected Data.
Relationship explorer

All related ATT&CK context

detects · Technique T1560: Archive Collected Data Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ac16b19349ee7d69...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ac16b19349ee…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0526
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use