EXPLORE
Sign In
← Back to Explore
T1020

Automated Exfiltration

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

LinuxmacOSNetwork DevicesWindows
20
Detections
3
Sources
7
Threat Actors

BY SOURCE

10sigma7elastic3splunk_escu

PROCEDURES (11)

General Monitoring5 detections

Auto-extracted: 5 detections for general monitoring

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Email2 detections

Auto-extracted: 2 detections for email

Powershell2 detections

Auto-extracted: 2 detections for powershell

Powershell2 detections

Auto-extracted: 2 detections for powershell

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Email1 detections

Auto-extracted: 1 detections for email

Email1 detections

Auto-extracted: 1 detections for email

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

THREAT ACTORS (7)

Gamaredon GroupKe3changKimsukyRedCurlSidewinderTropic TrooperWinter Vivern

DETECTIONS (20)

AWS EC2 Full Network Packet Capture Detected
elasticmedium
AWS RDS Master Password Change
sigmamedium
Detect RClone Command-Line Usage
splunk_escu
Detect Renamed RClone
splunk_escu
GitHub Exfiltration via High Number of Repository Clones by User
elasticmedium
Github Fork Private Repositories Setting Enabled/Cleared
sigmamedium
GitHub Private Repository Turned Public
elasticlow
Github Repository/Organization Transferred
sigmamedium
High Number of Closed Pull Requests by User
elasticmedium
High Number of Protected Branch Force Pushes by User
elasticmedium
M365 OneDrive/SharePoint Excessive File Downloads
elasticmedium
Mail Forwarding/Redirecting Activity In O365
sigmamedium
Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
sigmamedium
Modification or Deletion of an AWS RDS Cluster
sigmahigh
PowerShell Script With File Hostname Resolving Capabilities
sigmamedium
PowerShell Script With File Upload Capabilities
sigmalow
Restore Public AWS RDS Instance
sigmahigh
Several Failed Protected Branch Force Pushes by User
elasticmedium
Suspicious Inbox Forwarding
sigmalow
Windows Mustang Panda USB Tool Execution
splunk_escu