T1020: T1020

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1020
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Automated Exfiltration

Platforms

windows macos linux Network Devices

Description

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

ESET Gamaredon June 2020
mitre-attack (T1020)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (50)

Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5820 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TaxOff uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PlushDaemon uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sapphire Werewolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
EncryptHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DragonForce uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive0131 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 50

PureHVNC uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kiron uses

Family
GODZILLA uses

Family
LameHug uses

Family
IcedID uses

Family
TrojanSpy uses

Family
COBEACON uses

Family
Lumma Stealer uses

The MITRE Corporation Confidence 100

[Lumma Stealer](https://attack.mitre.org/software/S1213) is an information stealer malware family in use since at least 2022. [Lumma Stealer](https://attack.mitre.org/software/S1213) is a Malware as a Service (MaaS) where captured data has been…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hannotog uses
sysProcUpdate uses

Family
BlackCat uses
Rhadamanthys uses

Family

← Previous

Page / 7

1–12 of 73

EVALUSION Campaign Delivers Amatera Stealer and NetSupport... related

16 MITREs 3 Malwares 1 Observable 1 APT
AdaptixC2 Uncovered: Capabilities, Tactics & Hunting Strategies related

19 MITREs 1 Malware
Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening … related

1 CVE 12 MITREs 1 Malware 2 Observables 1 APT
SystemBC – Bringing the Noise related

13 MITREs 9 Malwares 158 Observables
An Analysis of the AMOS Stealer Campaign Targeting … related

9 MITREs
CTI Analysis: Malicious Email Campaign related

19 MITREs 1 Malware 15 Observables 1 APT
Analyzing LAMEHUG related

13 MITREs 1 Malware 1 APT
Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos … related

11 MITREs 1 Malware 5 Observables
The Espionage Toolkit: A Closer Look at its … related

16 MITREs 7 Malwares 1 APT
APT37 - RokRat related

21 MITREs 1 Malware 9 Observables 1 APT
Infostealer Campaign against ISPs related

18 MITREs 5 Malwares
Lumma Stealer Malware Thrives as Unique Patterns Uncovered … related

17 MITREs 2 Malwares

← Previous

Page / 4

13–24 of 41

Vulnerabilities (CVE) (37)

CVE-2022-42475 KEV targets

9.8 Critical

Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …

Attack vector: Network
Published: 13/12/2022
Modified: 20/12/2025

CVE-2025-59287 KEV targets

9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 24/10/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2023-34362 KEV targets

9.8 Critical

Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. …

Attack vector: Network
Published: 02/06/2023
Modified: 21/12/2025

CVE-2024-4577 KEV targets

9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector: Network
Published: 12/06/2024
Modified: 21/12/2025

Received

CVE-2025-26633 KEV targets

7.0 High

Microsoft Windows Management Console (MMC) contains an improper neutralization vulnerability that allows an unauthorized attacker to bypass a security feature locally.

Attack vector: Local
Published: 11/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2022-47945 targets

9.8 Critical

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated …

Attack vector: NETWORK
Published: 23/12/2022
Modified: 19/01/2026

CVE-2023-26360 KEV targets

8.6 High

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 15/03/2023
Modified: 21/12/2025

CVE-2019-9082 KEV targets

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2022-22947 KEV targets

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

Published: 16/05/2022
Modified: 20/12/2025

CVE-2025-24277 targets

7.8 High

A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia …

Attack vector: Local
Complexity: Low
Published: 01/04/2025
Modified: 02/04/2026

CWE-276 Awaiting Analysis

CVE-2022-24847 targets

7.2 High

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security …

Attack vector: NETWORK
Published: 14/04/2022
Modified: 21/12/2025

CVE-2023-20269 KEV targets

5.0 Medium

Cisco Adaptive Security Appliance and Firepower Threat Defense contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to conduct …

Attack vector: Network
Published: 13/09/2023
Modified: 21/12/2025

← Previous

Page / 4

25–36 of 37

Traffic Duplication subtechnique-of

MITRE

Tool (1)

ShimRatReporter uses

The MITRE Corporation Confidence 100

[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as…

Campaign (1)

ArcaneDoor uses

Contact About Legal notice Privacy policy Terms of use

T1020: T1020

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (50)

Malware (73)

Reports (41)

Vulnerabilities (CVE) (37)

Attack patterns (MITRE) (1)

Tool (1)

Campaign (1)