T1020: T1020

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1020
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Automated Exfiltration

Platforms

windows macos linux Network Devices

Description

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

ESET Gamaredon June 2020
mitre-attack (T1020)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (50)

Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5820 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TaxOff uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PlushDaemon uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sapphire Werewolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
EncryptHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DragonForce uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive0131 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 50

PureHVNC uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kiron uses

Family
GODZILLA uses

Family
LameHug uses

Family
IcedID uses

Family
TrojanSpy uses

Family
COBEACON uses

Family
Lumma Stealer uses

The MITRE Corporation Confidence 100

[Lumma Stealer](https://attack.mitre.org/software/S1213) is an information stealer malware family in use since at least 2022. [Lumma Stealer](https://attack.mitre.org/software/S1213) is a Malware as a Service (MaaS) where captured data has been…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hannotog uses
sysProcUpdate uses

Family
BlackCat uses
Rhadamanthys uses

Family

← Previous

Page / 7

1–12 of 73

Supply chain of Korean VPN service compromised related

32 MITREs 1 Malware 1 APT
Will the Real Volt Typhoon Please Stand Up? related

6 MITREs 1 Malware 9 Observables 1 APT
A Look Back: The Evolution of Latin American … related

18 MITREs 7 Malwares 32 Observables 1 APT
Threat Actor Targets Manufacturing Industry With Malware related

11 MITREs 2 Malwares
TaxOff: You've Got a Backdoor... related

14 MITREs 1 Malware 11 Observables 1 APT
Malicious RDP Files Identified in Latest Attack on … related

20 MITREs 1 Malware 1 APT
Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) related

1 CVE 10 MITREs 4 Observables 1 APT
Grandoreiro banking trojan: overview of recent versions and … related

19 MITREs 1 Malware 1 APT
From Perfctl to InfoStealer related

20 MITREs 1 Malware 3 Observables
Threat Brief: Understanding Akira Ransomware related

4 CVEs 15 MITREs 1 Malware 3 Observables 1 APT
Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy related

12 MITREs 2 Malwares 1 APT
Unraveling Tool Set: KLogEXE and FPSpy related

12 MITREs 2 Malwares 8 Observables 1 APT

← Previous

Page / 4

25–36 of 41

Vulnerabilities (CVE) (37)

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2019-6693 KEV targets

Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup …

Published: 25/06/2025
Modified: 21/12/2025

CVE-2021-1675 KEV targets

Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2026-35616 KEV targets

9.8 Critical

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands …

Attack vector: NETWORK
Complexity: LOW
Published: 04/04/2026
Modified: 09/04/2026

CWE-284 Received

CVE-2020-1380 KEV targets

7.8 High

Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user.

Attack vector: LOCAL
Published: 03/11/2021
Modified: 26/02/2026

CVE-2024-47575 KEV targets

9.8 Critical

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager …

Attack vector: Network
Published: 23/10/2024
Modified: 21/12/2025

Analyzed

CVE-2026-0257 KEV targets

4.7 Medium

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions …

Attack vector: NETWORK
Complexity: LOW
Published: 13/05/2026
Modified: 10/06/2026

CWE-565 Awaiting Analysis

CVE-2022-40684 KEV targets

9.8 Critical

Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative …

Attack vector: Network
Published: 11/10/2022
Modified: 14/01/2026

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2018-20250 KEV targets

WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution

Published: 15/02/2022
Modified: 02/06/2026

← Previous

Page / 4

13–24 of 37

Traffic Duplication subtechnique-of

MITRE

Tool (1)

ShimRatReporter uses

The MITRE Corporation Confidence 100

[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as…

Campaign (1)

ArcaneDoor uses

Contact About Legal notice Privacy policy Terms of use

T1020: T1020

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (50)

Malware (73)

Reports (41)

Vulnerabilities (CVE) (37)

Attack patterns (MITRE) (1)

Tool (1)

Campaign (1)