Description
Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)
When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.
Platforms
Sub-Techniques (1)
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has exfiltrated data to C2 servers using an automated script that executes every 10 minutes and after... |
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has configured tools to automatically send collected files to attacker controlled servers.(Citatio... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has performed frequent and scheduled data exfiltration from compromised networks.(Citation: Microso... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has used batch scripts to exfiltrate data.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) delivered a PowerShell script capable of recursively scanning victim machines looking for vario... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used a copy function to automatically exfiltrate sensitive data from air-gapped systems us... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used modules that automatically upload gathered documents to the C2 server.(Citation: ESE... |
Associated Software (20)
| ID | Name | Type | Context |
|---|---|---|---|
| S0491 | StrongPity | Malware | [StrongPity](https://attack.mitre.org/software/S0491) can automatically exfiltrate collected documents to the C2 server.(Citation: Talos Promethium Ju... |
| S0395 | LightNeuron | Malware | [LightNeuron](https://attack.mitre.org/software/S0395) can be configured to automatically exfiltrate files under a specified directory.(Citation: ESET... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) has the ability to automatically send collected data back to the threat actors' C2.(Citation: Talos ... |
| S0600 | Doki | Malware | [Doki](https://attack.mitre.org/software/S0600) has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngr... |
| S0090 | Rover | Malware | [Rover](https://attack.mitre.org/software/S0090) automatically searches for files on local drives based on a predefined list of file extensions and se... |
| S1017 | OutSteel | Malware | [OutSteel](https://attack.mitre.org/software/S1017) can automatically upload collected files to its C2 server.(Citation: Palo Alto Unit 42 OutSteel Sa... |
| S0643 | Peppy | Malware | [Peppy](https://attack.mitre.org/software/S0643) has the ability to automatically exfiltrate files and keylogs.(Citation: Proofpoint Operation Transpa... |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409)’s collected files are exfiltrated automatically to remote servers.(Citation: ESET Machete July 2019... |
| S0377 | Ebury | Malware | If credentials are not collected for two weeks, [Ebury](https://attack.mitre.org/software/S0377) encrypts the credentials using a public key and sends... |
| S1148 | Raccoon Stealer | Malware | [Raccoon Stealer](https://attack.mitre.org/software/S1148) will automatically collect and exfiltrate data identified in received configuration files f... |
| S1166 | Solar | Malware | [Solar](https://attack.mitre.org/software/S1166) can automatically exfitrate files from compromised systems.(Citation: ESET OilRig Campaigns Sep 2023) |
| S1211 | Hannotog | Malware | [Hannotog](https://attack.mitre.org/software/S1211) can upload encyrpted data for exfiltration.(Citation: Symantec Bilbug 2022) |
| S0467 | TajMahal | Malware | [TajMahal](https://attack.mitre.org/software/S0467) has the ability to manage an automated queue of egress files and commands sent to its C2.(Citation... |
| S0136 | USBStealer | Malware | [USBStealer](https://attack.mitre.org/software/S0136) automatically exfiltrates collected files via removable media when an infected device connects t... |
| S0538 | Crutch | Malware | [Crutch](https://attack.mitre.org/software/S0538) has automatically exfiltrated stolen files to Dropbox.(Citation: ESET Crutch December 2020) |
| S0445 | ShimRatReporter | Tool | [ShimRatReporter](https://attack.mitre.org/software/S0445) sent collected system and network information compiled into a report to an adversary-contro... |
| S0050 | CosmicDuke | Malware | [CosmicDuke](https://attack.mitre.org/software/S0050) exfiltrates collected files automatically over FTP to remote servers.(Citation: F-Secure Cosmicd... |
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438) has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 ... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) automatically sends gathered email credentials following collection to command and control se... |
| S0131 | TINYTYPHON | Malware | When a document is found matching one of the extensions in the configuration, [TINYTYPHON](https://attack.mitre.org/software/S0131) uploads it to the ... |
References
Frequently Asked Questions
What is T1020 (Automated Exfiltration)?
T1020 is a MITRE ATT&CK technique named 'Automated Exfiltration'. It belongs to the Exfiltration tactic(s). Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfil...
How can T1020 be detected?
Detection of T1020 (Automated Exfiltration) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1020?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1020?
Known threat groups using T1020 include: Kimsuky, Sidewinder, Ke3chang, RedCurl, Winter Vivern, Tropic Trooper, Gamaredon Group.