Exfiltration, Tactic TA0036 - Mobile

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Exfiltration, Tactic TA0036 - Mobile | MITRE ATT&CK®</title>  <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body>  <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header>  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent">  <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical">  <div class="group-nav-desktop-view"> <span class="heading" id="v-home-tab" aria-selected="false">TACTICS</span> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v9/tactics/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Reconnaissance"> <a href="/versions/v9/tactics/TA0043/"> Reconnaissance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Resource Development"> <a href="/versions/v9/tactics/TA0042/"> Resource Development </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Initial Access"> <a href="/versions/v9/tactics/TA0001/"> Initial Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Execution"> <a href="/versions/v9/tactics/TA0002/"> Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Persistence"> <a href="/versions/v9/tactics/TA0003/"> Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Privilege Escalation"> <a href="/versions/v9/tactics/TA0004/"> Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Defense Evasion"> <a href="/versions/v9/tactics/TA0005/"> Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Credential Access"> <a href="/versions/v9/tactics/TA0006/"> Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Discovery"> <a href="/versions/v9/tactics/TA0007/"> Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Lateral Movement"> <a href="/versions/v9/tactics/TA0008/"> Lateral Movement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Collection"> <a href="/versions/v9/tactics/TA0009/"> Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Command and Control"> <a href="/versions/v9/tactics/TA0011/"> Command and Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Exfiltration"> <a href="/versions/v9/tactics/TA0010/"> Exfiltration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Impact"> <a href="/versions/v9/tactics/TA0040/"> Impact </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v9/tactics/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-Initial Access"> <a href="/versions/v9/tactics/TA0027/"> Initial Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Execution"> <a href="/versions/v9/tactics/TA0041/"> Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Persistence"> <a href="/versions/v9/tactics/TA0028/"> Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Privilege Escalation"> <a href="/versions/v9/tactics/TA0029/"> Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Defense Evasion"> <a href="/versions/v9/tactics/TA0030/"> Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Credential Access"> <a href="/versions/v9/tactics/TA0031/"> Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Discovery"> <a href="/versions/v9/tactics/TA0032/"> Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Lateral Movement"> <a href="/versions/v9/tactics/TA0033/"> Lateral Movement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Collection"> <a href="/versions/v9/tactics/TA0035/"> Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Command and Control"> <a href="/versions/v9/tactics/TA0037/"> Command and Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="mobile-Exfiltration"> <a href="/versions/v9/tactics/TA0036/"> Exfiltration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Impact"> <a href="/versions/v9/tactics/TA0034/"> Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Network Effects"> <a href="/versions/v9/tactics/TA0038/"> Network Effects </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Remote Service Effects"> <a href="/versions/v9/tactics/TA0039/"> Remote Service Effects </a> </div> </div> </div> </div> </div>  </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/tactics/mobile">Tactics</a></li> <li class="breadcrumb-item"><a href="/versions/v9/tactics/mobile">Mobile</a></li> <li class="breadcrumb-item">Exfiltration</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Exfiltration </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>The adversary is trying to steal data.</p><p>Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device.</p><p>In the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> TA0036</div> <div class="card-data"><span class="h5 card-title">Created: </span>17 October 2018</div> <div class="card-data"><span class="h5 card-title">Last Modified: </span>27 January 2020</div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of TA0036" href="/versions/v9/tactics/TA0036/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of TA0036" href="/tactics/TA0036/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="techniques">Techniques</h2><h6 class="table-object-count">Techniques: 4</h6> <table class="table-techniques"> <thead> <tr> <td colspan="2">ID</td> <td>Name</td> <td>Description</td> </tr> </thead> <tbody> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1438"> T1438 </a> </td> <td> <a href="/versions/v9/techniques/T1438"> Alternate Network Mediums </a> </td> <td> Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1436"> T1436 </a> </td> <td> <a href="/versions/v9/techniques/T1436"> Commonly Used Port </a> </td> <td> Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1532"> T1532 </a> </td> <td> <a href="/versions/v9/techniques/T1532"> Data Encrypted </a> </td> <td> Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file formats that can encrypt files are RAR and zip. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1437"> T1437 </a> </td> <td> <a href="/versions/v9/techniques/T1437"> Standard Application Layer Protocol </a> </td> <td> Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> </div>  <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> 漏 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&CK content version 9.0Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100">  <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div>  <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?8392"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script>  <script src="/versions/v9/theme/scripts/navigation.js"></script> </body> </html>

CINXE.COM

Exfiltration, Tactic TA0036 - Mobile | MITRE ATT&CK®