TIARAS - T1022: Data Encrypted

MITRE ATT&CK Technique

Exfiltration T1022

Description

Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip. Other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)

Supported Platforms

Linux macOS Windows

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2017-05-31T21:30:30.260Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Data is encrypted before being exfiltrated in order to hide '
                'the information that is being exfiltrated from detection or '
                'to make the exfiltration less conspicuous upon inspection by '
                'a defender. The encryption is performed by a utility, '
                'programming library, or custom algorithm on the data itself '
                'and is considered separate from any encryption performed by '
                'the command and control or file transfer protocol. Common '
                'file archive formats that can encrypt files are RAR and zip.\n'
                '\n'
                'Other exfiltration techniques likely apply as well to '
                'transfer the information out of the network, such as '
                '[Exfiltration Over C2 '
                'Channel](https://attack.mitre.org/techniques/T1041) and '
                '[Exfiltration Over Alternative '
                'Protocol](https://attack.mitre.org/techniques/T1048)',
 'external_references': [{'external_id': 'T1022',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1022'},
                         {'description': 'Zhang, H., Papadopoulos, C., & '
                                         'Massey, D. (2013, April). Detecting '
                                         'encrypted botnet traffic. Retrieved '
                                         'August 19, 2015.',
                          'source_name': 'Zhang 2013',
                          'url': 'http://www.netsec.colostate.edu/~zhang/DetectingEncryptedBotnetTraffic.pdf'},
                         {'description': 'Wikipedia. (2016, March 31). List of '
                                         'file signatures. Retrieved April 22, '
                                         '2016.',
                          'source_name': 'Wikipedia File Header Signatures',
                          'url': 'https://en.wikipedia.org/wiki/List_of_file_signatures'}],
 'id': 'attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'exfiltration'}],
 'modified': '2025-10-24T17:49:27.757Z',
 'name': 'Data Encrypted',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.1'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About