Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)
When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1020 | Automated Exfiltration |
Comments
This diagnostic statement protects against Automated Exfiltration through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
PR.DS-10.01 | Data-in-use protection | Mitigates | T1020 | Automated Exfiltration |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1020 | Automated Exfiltration |
Comments
This diagnostic statement protects against Automated Exfiltration through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against automated exfiltration.
References
|
PR.IR-04.01 | Utilization monitoring | Mitigates | T1020 | Automated Exfiltration |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Export data | Export data to another site or system | related-to | T1020 | Automated Exfiltration | |
attribute.confidentiality.data_disclosure | None | related-to | T1020 | Automated Exfiltration |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
cloud_ids | Cloud IDS | technique_scores | T1020 | Automated Exfiltration |
Comments
Cloud IDS spyware signatures are able to detect data exfiltration attempts over command and control communications, which is often used by adversaries to compromise sensitive data. Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Cloud IDS's advanced threat detection technology which continually updates to detect against the latest known variations of these attacks.
References
|
google_secops | Google Security Operations | technique_scores | T1020 | Automated Exfiltration |
Comments
Google Security Ops is able to trigger an alert based off suspicious sytem processes, such as using bitsadmin to automatically exfiltrate data from Windows machines (e.g., ".*\\bitsadmin\.exe"). This mapping is scored as minimal based on low or uncertain detection coverage factor for this technique.
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_guardduty | Amazon GuardDuty | technique_scores | T1020 | Automated Exfiltration |
Comments
The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.
Behavior:EC2/TrafficVolumeUnusual Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller
References
|
aws_config | AWS Config | technique_scores | T1020 | Automated Exfiltration |
Comments
This control provides partial coverage for this technique's only sub-technique, but without specific coverage for its procedures, resulting in an overall score of Minimal.
References
|
aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1020 | Automated Exfiltration |
Comments
This control provides partial coverage for this technique's only sub-technique, but without specific coverage for its procedures, resulting in an overall score of Minimal.
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1020.001 | Traffic Duplication | 33 |