Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.
When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1020 | Automated Exfiltration | |
| aws_config | AWS Config | technique_scores | T1020 | Automated Exfiltration |
Comments
This control provides partial coverage for this technique's only sub-technique, but without specific coverage for its procedures, resulting in an overall score of Minimal.
References
|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1020 | Automated Exfiltration |
Comments
The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.
Behavior:EC2/TrafficVolumeUnusual Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller
References
|
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1020 | Automated Exfiltration |
Comments
This control provides partial coverage for this technique's only sub-technique, but without specific coverage for its procedures, resulting in an overall score of Minimal.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1020.001 | Traffic Duplication | 15 |