T1020: T1020

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1020
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Automated Exfiltration

Platforms

windows macos linux Network Devices

Description

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

ESET Gamaredon June 2020
mitre-attack (T1020)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (50)

Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5820 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TaxOff uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PlushDaemon uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sapphire Werewolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
EncryptHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DragonForce uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive0131 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 50

Gremlin stealer uses

Family
HOMESTEEL uses

Family
TransferLoader uses

Family
OilRig uses
SystemBC uses

AlienVault Confidence 100

[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RAILLOAD uses

Family
Alice uses
BlackCat - S1068 uses

Family
GammaLoad uses

Family
GraphicalProton uses
FeedLoad uses
CyberStrike Harvester uses

← Previous

Page / 7

37–48 of 73

Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind … related

AlienVault Confidence 100 3 CVEs 21 MITREs 2 Malwares 8 IOCs 2 Observables
Detecting the Klue supply chain attack in Salesforce … related

AlienVault Confidence 100 13 MITREs 3 IOCs 3 Observables 1 APT
Affidavit in Support of Application for Criminal Complaint related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps … related

2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's … related

AlienVault Confidence 100 24 MITREs 2 Malwares 13 IOCs 13 Observables
AMOS Stealer delivered via Cursor AI agent session related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
Threat Actors Leverage Claude Code Leak as Social … related

AlienVault Confidence 100 20 MITREs 3 Malwares 10 IOCs 10 Observables
New Malware Targets Users of Cobra DocGuard Software related

20 MITREs 3 Malwares 7 Observables 1 APT
Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government … related

14 MITREs 1 Malware 5 Observables 1 APT
Analyzing the MonetaStealer macOS Threat related

1 CVE 10 MITREs 1 Malware 4 Observables
Analyzing React2Shell Threat Actors related

10 CVEs 16 MITREs 2 Malwares 9 Observables
The Tsundere botnet uses the Ethereum blockchain to … related

20 MITREs 2 Malwares 21 Observables 1 APT

← Previous

Page / 4

1–12 of 41

Vulnerabilities (CVE) (37)

CVE-2024-21893 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …

Attack vector: Network
Published: 31/01/2024
Modified: 27/05/2026

CVE-2025-53690 KEV targets

9.0 Critical

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the …

Attack vector: Network
Published: 04/09/2025
Modified: 21/12/2025

CVE-2026-25089 targets

9.8 Critical

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox …

Attack vector: NETWORK
Complexity: LOW
Published: 09/06/2026
Modified: 24/06/2026

CWE-78 Awaiting Analysis

CVE-2023-27997 KEV targets

9.8 Critical

Fortinet FortiOS and FortiProxy SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute code or …

Attack vector: Network
Published: 13/06/2023
Modified: 21/12/2025

CVE-2023-1389 KEV targets

8.8 High

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Attack vector: Adjacent
Published: 01/05/2023
Modified: 21/12/2025

CVE-2023-42793 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.

Attack vector: Network
Published: 04/10/2023
Modified: 29/05/2026

CVE-2021-34527 KEV targets

Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2017-9841 KEV targets

9.8 Critical

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …

Attack vector: NETWORK
Complexity: LOW
Published: 27/06/2017
Modified: 22/04/2026

CWE-94

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-7344 targets

8.2 High

Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.

Attack vector: LOCAL
Published: 14/01/2025
Modified: 21/12/2025

Analyzed

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2021-21972 KEV targets

VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network …

Published: 03/11/2021
Modified: 21/12/2025

← Previous

Page / 4

1–12 of 37

Traffic Duplication subtechnique-of

MITRE

Tool (1)

ShimRatReporter uses

The MITRE Corporation Confidence 100

[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as…

Campaign (1)

ArcaneDoor uses

Contact About Legal notice Privacy policy Terms of use

T1020: T1020

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (50)

Malware (73)

Reports (41)

Vulnerabilities (CVE) (37)

Attack patterns (MITRE) (1)

Tool (1)

Campaign (1)