数据加密

数据在泄露之前先经过加密，以隐藏被泄露的信息以免被检测到，或者使防御者检查后发现的泄露不那么明显。加密是由实用程序，编程库或自定义算法对数据本身执行的，并被认为与由命令和控制或文件传输协议执行的任何加密是分开的。可以加密文件的常见文件格式为RAR和zip。

Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file formats that can encrypt files are RAR and zip.

标签

ID编号： T1532

战术类型： 事后访问设备

策略： 渗漏

平台： Android，iOS

程序示例

名称	描述
Exodus(S0405)	Exodus(S0405) One在渗透之前使用XOR加密数据。

Name	Description
Exodus(S0405)	Exodus(S0405) One encrypts data using XOR prior to exfiltration.

缓解措施

这种攻击技术无法通过预防性控制轻松缓解，因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

标准应用程序可访问的API中内置了许多加密机制，因此最终用户无法检测到。

Many encryption mechanisms are built into standard application-accessible APIs, and are therefore undetectable to the end user.