Archive Collected Data

Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Both compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm.

ID: T1532
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Collection
Platforms: Android, iOS
Version: 2.0
Created: 10 October 2019
Last Modified: 01 April 2022

Procedure Examples

ID Name Description
S0422 Anubis

Anubis exfiltrates data encrypted (with RC4) by its ransomware module.[1]

S0540 Asacub

Asacub has encrypted C2 communications using Base64-encoded RC4.[2]

S1079 BOULDSPY

BOULDSPY can encrypt its data before exfiltration.[3]

S0505 Desert Scorpion

Desert Scorpion can encrypt exfiltrated data.[4]

S0405 Exodus

Exodus One encrypts data using XOR prior to exfiltration.[5]

S0577 FrozenCell

FrozenCell has compressed and encrypted data before exfiltration using password protected .7z archives.[6]

S0535 Golden Cup

Golden Cup has encrypted exfiltrated data using AES in ECB mode.[7]

S0421 GolfSpy

GolfSpy encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.[8]

S1082 Sunbird

Sunbird can exfiltrate collected data as a ZIP file.[9]

S0424 Triada

Triada encrypts data prior to exfiltration.[10]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.

References