Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.
When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ids | Cloud IDS | technique_scores | T1020 | Automated Exfiltration |
Comments
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications.
Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| chronicle | Chronicle | technique_scores | T1020 | Automated Exfiltration |
Comments
Chronicle is able to trigger an alert based off suspicious sytem processes, such as using bitsadmin to automatically exfiltrate data from Windows machines (e.g., ".*\\bitsadmin\.exe").
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral
References
|