- Tactics
- Collection
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1560.003
Description
An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Collection tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1005 — Data from Local System
- T1025 — Data from Removable Media
- T1039 — Data from Network Shared Drive
- T1056 — Input Capture
- T1074 — Data Staged
- T1113 — Screen Capture
- T1114 — Email Collection
- T1115 — Clipboard Data
- T1119 — Automated Collection
- T1123 — Audio Capture
- T1125 — Video Capture
- T1185 — Browser Session Hijacking