1. Home
  2. ATT&CK Techniques
  3. T1020 Automated Exfiltration

T1020 Automated Exfiltration Mappings

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Export data Export data to another site or system related-to T1020 Automated Exfiltration
attribute.confidentiality.data_disclosure None related-to T1020 Automated Exfiltration

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
cloud_ids Cloud IDS technique_scores T1020 Automated Exfiltration
Comments
Cloud IDS spyware signatures are able to detect data exfiltration attempts over command and control communications, which is often used by adversaries to compromise sensitive data. Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Cloud IDS's advanced threat detection technology which continually updates to detect against the latest known variations of these attacks.
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']
google_secops Google Security Operations technique_scores T1020 Automated Exfiltration
Comments
Google Security Ops is able to trigger an alert based off suspicious sytem processes, such as using bitsadmin to automatically exfiltrate data from Windows machines (e.g., ".*\\bitsadmin\.exe"). This mapping is scored as minimal based on low or uncertain detection coverage factor for this technique. https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_guardduty Amazon GuardDuty technique_scores T1020 Automated Exfiltration
Comments
The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. Behavior:EC2/TrafficVolumeUnusual Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller
References
  1. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan
  2. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
aws_config AWS Config technique_scores T1020 Automated Exfiltration
Comments
This control provides partial coverage for this technique's only sub-technique, but without specific coverage for its procedures, resulting in an overall score of Minimal.
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
aws_iot_device_defender AWS IoT Device Defender technique_scores T1020 Automated Exfiltration
Comments
This control provides partial coverage for this technique's only sub-technique, but without specific coverage for its procedures, resulting in an overall score of Minimal.
References
  1. https://aws.amazon.com/iot-device-defender/
  2. https://docs.aws.amazon.com/iot-device-defender
  3. https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions
  4. https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases
  5. https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics
  6. https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics
  7. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender
  8. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit
  9. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1020.001 Traffic Duplication 4