Automated Exfiltration

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.

ID: T1020
Sub-techniques:  No sub-techniques
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Data Sources: File monitoring, Process monitoring, Process use of network
Requires Network:  Yes
Version: 1.1
Created: 31 May 2017
Last Modified: 11 March 2020

Procedure Examples

Name Description

CosmicDuke exfiltrates collected files automatically over FTP to remote servers.[1]


Honeybee performs data exfiltration is accomplished through the following command-line command: from (- --).txt.[7]


LightNeuron can be configured to automatically exfiltrate files under a specified directory.[5]


Machete’s collected files are exfiltrated automatically to remote servers.[6]


Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.[3]


When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.[2]


USBStealer automatically exfiltrates collected files via removable media when an infected device is connected to the second victim after receiving commands from the first victim.[4]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.