Data Encrypted

Jump to: navigation, search
Data Encrypted
ID T1022
Tactic Exfiltration
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Data Sources File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
Requires Network No

Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.

Other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol


  • Ke3chang is known to use RAR with passwords to encrypt data prior to exfiltration.1
  • Threat Group-3390 actors have encrypted data for exfiltration using the password "admin-windows2014" (with the year corresponding to the year of the intrusion).2
  • Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.3 Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server.4
  • TRINITY malware used by FIN6 encodes data gathered from the victim with a simple substitution cipher and single-byte XOR using the OxAA key.5
  • Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.6
  • FLASHFLOOD employs the same encoding scheme as SPACESHIP for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23.6
  • Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.7
  • ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.8
  • OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.2
  • Agent.btz saves system information into an XML file that is then XOR-encoded.9
  • Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.10
  • T9000 encrypts collected data using a single byte XOR key.11
  • After collecting files and logs from the victim, Prikormka encrypts some collected data with Blowfish.12


Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting13 tools, like AppLocker,1415 or Software Restriction Policies16 where appropriate.17


Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software.

A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.

Network traffic may also be analyzed for entropy to determine if encrypted data is being transmitted.18 If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers.19