EXPLORE
Sign In
← Back to Explore
T1020

Automated Exfiltration

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

LinuxmacOSNetwork DevicesWindows
17
Detections
3
Sources
6
Threat Actors

BY SOURCE

8sigma7elastic2splunk_escu

PROCEDURES (9)

General Monitoring5 detections

Auto-extracted: 5 detections for general monitoring

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Powershell2 detections

Auto-extracted: 2 detections for powershell

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Email Security1 detections

Auto-extracted: 1 detections for email security

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

THREAT ACTORS (6)

Gamaredon GroupKe3changRedCurlSidewinderTropic TrooperWinter Vivern

DETECTIONS (17)

AWS EC2 Full Network Packet Capture Detected
elasticmedium
AWS RDS Master Password Change
sigmamedium
Detect RClone Command-Line Usage
splunk_escu
Detect Renamed RClone
splunk_escu
GitHub Exfiltration via High Number of Repository Clones by User
elasticmedium
Github Fork Private Repositories Setting Enabled/Cleared
sigmamedium
GitHub Private Repository Turned Public
elasticlow
Github Repository/Organization Transferred
sigmamedium
High Number of Closed Pull Requests by User
elasticmedium
High Number of Protected Branch Force Pushes by User
elasticmedium
M365 OneDrive/SharePoint Excessive File Downloads
elasticmedium
Modification or Deletion of an AWS RDS Cluster
sigmahigh
PowerShell Script With File Hostname Resolving Capabilities
sigmamedium
PowerShell Script With File Upload Capabilities
sigmalow
Restore Public AWS RDS Instance
sigmahigh
Several Failed Protected Branch Force Pushes by User
elasticmedium
Suspicious Inbox Forwarding
sigmalow