Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Technique Automated Exfiltration
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Automated Exfiltration
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Automated Exfiltration

ID Name
.001 Traffic Duplication

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.

ID: T1020
Sub-techniques:  .001
Tactic(s): Exfiltration
Platforms: Linux, Network Devices, Windows, macOS
Data Sources: Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Script: Script Execution
Version: 1.3
Created: 31 May 2017
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
ShimRatReporter

ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2.(Citation: FOX-IT May 2016 Mofang)
StrongPity

StrongPity can automatically exfiltrate collected documents to the C2 server.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)
Hannotog

Hannotog can upload encyrpted data for exfiltration.(Citation: Symantec Bilbug 2022)
CosmicDuke

CosmicDuke exfiltrates collected files automatically over FTP to remote servers.(Citation: F-Secure Cosmicduke)
Empire

Empire has the ability to automatically send collected data back to the threat actors' C2.(Citation: Talos Frankenstein June 2019)
Machete

Machete’s collected files are exfiltrated automatically to remote servers.(Citation: ESET Machete July 2019)

Doki

Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL.(Citation: Intezer Doki July 20)
Rover

Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.(Citation: Palo Alto Rover)
LightNeuron

LightNeuron can be configured to automatically exfiltrate files under a specified directory.(Citation: ESET LightNeuron May 2019)
Peppy

Peppy has the ability to automatically exfiltrate files and keylogs.(Citation: Proofpoint Operation Transparent Tribe March 2016)
TINYTYPHON

When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.(Citation: Forcepoint Monsoon)
Attor

Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server.(Citation: ESET Attor Oct 2019)
Crutch

Crutch has automatically exfiltrated stolen files to Dropbox.(Citation: ESET Crutch December 2020)
StrelaStealer

StrelaStealer automatically sends gathered email credentials following collection to command and control servers via HTTP POST.(Citation: DCSO StrelaStealer 2022)(Citation: IBM StrelaStealer 2024)
USBStealer

USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. (Citation: ESET Sednit USBStealer 2014)
TajMahal

TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2.(Citation: Kaspersky TajMahal April 2019)
Raccoon Stealer

Raccoon Stealer will automatically collect and exfiltrate data identified in received configuration files from command and control nodes.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)
Solar

Solar can automatically exfitrate files from compromised systems.(Citation: ESET OilRig Campaigns Sep 2023)
OutSteel

OutSteel can automatically upload collected files to its C2 server.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Ebury

If credentials are not collected for two weeks, Ebury encrypts the credentials using a public key and sends them via UDP to an IP address located in the DNS TXT record.(Citation: ESET Windigo Mar 2014)(Citation: ESET Ebury May 2024)
Frankenstein

Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2.(Citation: Talos Frankenstein June 2019)
Tropic Trooper

Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.(Citation: TrendMicro Tropic Trooper May 2020)

Gamaredon Group

Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.(Citation: ESET Gamaredon June 2020)
Honeybee

Honeybee performs data exfiltration is accomplished through the following command-line command: from (- --).txt.(Citation: McAfee Honeybee)
Sidewinder

Sidewinder has configured tools to automatically send collected files to attacker controlled servers.(Citation: ATT Sidewinder January 2021)
Ke3chang

Ke3chang has performed frequent and scheduled data exfiltration from compromised networks.(Citation: Microsoft NICKEL December 2021)
RedCurl

RedCurl has used batch scripts to exfiltrate data.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)
Winter Vivern

Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.(Citation: CERT-UA WinterVivern 2023)

Mitigations
Mitigation Description
Automated Exfiltration Mitigation

Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.

References

  1. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  2. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  3. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  4. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  5. DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024.
  6. Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025.
  7. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  8. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  9. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  10. Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024.
  11. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  12. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  13. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  14. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  15. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  16. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  17. Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.
  18. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  19. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
  20. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  21. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  22. Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.
  23. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  24. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  25. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  26. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  27. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  28. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  29. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  30. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  31. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  32. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  33. Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
  34. CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.