DET0670: Detection of Archive Collected Data
DET0670 is a mobile ATT&CK detection strategy for Archive Collected Data: adversaries compressing or encrypting collected data before exfiltration. For lea...
Analyst context for executives and security teams
DET0670 is a mobile ATT&CK detection strategy for Archive Collected Data: adversaries compressing or encrypting collected data before exfiltration. For leaders, the practical issue is that this behavior can make stolen data smaller, less obvious, and harder to inspect, which affects incident triage, data-loss assessment, and confidence in mobile monitoring.
Executive priority
Prioritize validation where mobile devices or mobile applications handle sensitive business data. The key decision is whether the organization can produce evidence that collected data was archived or encrypted before leaving a device, especially during investigations, audit inquiries, or suspected data theft. Because the official detection strategy contains no detection text or platform detail, leadership should treat this as a coverage validation item rather than an assumed control.
Technical view
SOC, detection engineering, and IR teams should map this strategy to mobile technique T1532, Archive Collected Data, which applies to Android and iOS in the supplied relationship context. Validate whether available mobile telemetry can show compression or encryption activity involving collected data prior to exfiltration. Since MITRE provides no official detection logic for DET0670, teams should develop environment-specific analytics around suspicious archive/encryption artifacts, file staging behavior, and proximity to outbound transfer activity, while accounting for legitimate app backup, sync, and data-protection functions.
Likely telemetry
- Mobile device management or mobile security telemetry for Android and iOS where available
- File creation, modification, and staging evidence indicating compressed or encrypted data containers
- Application behavior telemetry showing use of compression or encryption libraries or utilities where observable
- Network egress metadata that can be correlated with recent archive or encryption activity
- Incident response collection from mobile devices, app sandboxes, and relevant application storage locations
Detection direction
- Confirm whether mobile telemetry is available at all; DET0670 itself does not specify platforms or detection logic, while the related technique lists Android and iOS.
- Correlate archive/encryption-like activity with prior data collection indicators and subsequent outbound transfer rather than alerting on compression or encryption alone.
- Tune for legitimate mobile behaviors such as app backups, secure storage, synchronization, and normal encrypted application data to reduce false positives.
- Validate that encrypted or compressed artifacts are not invisible to existing mobile EDR, MDM, SIEM, or IR collection processes.
- Use the relationship to T1532 as the organizing context for coverage testing and detection gap analysis.
Mitigation priorities
- Start with data minimization and access control for sensitive data on mobile devices and applications.
- Ensure mobile device and application monitoring can support investigations involving staged, compressed, or encrypted files.
- Harden mobile application and device configurations to limit unnecessary data exposure and unmanaged storage locations where feasible.
- Integrate mobile telemetry with SOC workflows so archive/encryption activity can be correlated with collection and exfiltration signals.
- Document validated evidence sources for compliance and incident response readiness, especially where mobile data loss is a material risk.
Analyst notes and limits
This take is based on a detection strategy object with no official description or detection text. The most useful context comes from its relationship to T1532, Archive Collected Data, in the mobile ATT&CK domain. Defensive value comes from validating whether teams can observe pre-exfiltration compression or encryption on Android and iOS, not from assuming a ready-made MITRE analytic exists.
Platforms and tactics are not specified on the DET0670 object itself, and MITRE provides no official detection content in the supplied fields. Telemetry recommendations are therefore directional and must be validated against the organization’s mobile device estate, application architecture, privacy constraints, and available logging.
Detection of Archive Collected Data
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1532 | Archive Collected Data | This object detects Archive Collected Data. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9e168b931b47… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0670Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.