T1020: T1020

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1020
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Automated Exfiltration

Platforms

windows macos linux Network Devices

Description

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

ESET Gamaredon June 2020
mitre-attack (T1020)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (50)

APT-C-35 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT28 (Fancy Bear) related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT31 related Violet TyphoonZIRCONIUM

The MITRE Corporation Confidence 100

[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Blackwood related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Diplomatic Orbiter related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Alux related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Grandoreiro related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Haskers Gang related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Homeland Justice related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Icarus related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Magic Hound related COBALT ILLUSIONITG18

The MITRE Corporation Confidence 100

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Marko Polo related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

25–36 of 50

PureHVNC uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kiron uses

Family
GODZILLA uses

Family
LameHug uses

Family
IcedID uses

Family
TrojanSpy uses

Family
COBEACON uses

Family
Lumma Stealer uses

The MITRE Corporation Confidence 100

[Lumma Stealer](https://attack.mitre.org/software/S1213) is an information stealer malware family in use since at least 2022. [Lumma Stealer](https://attack.mitre.org/software/S1213) is a Malware as a Service (MaaS) where captured data has been…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hannotog uses
sysProcUpdate uses

Family
BlackCat uses
Rhadamanthys uses

Family

← Previous

Page / 7

1–12 of 73

EVALUSION Campaign Delivers Amatera Stealer and NetSupport... related

16 MITREs 3 Malwares 1 Observable 1 APT
AdaptixC2 Uncovered: Capabilities, Tactics & Hunting Strategies related

19 MITREs 1 Malware
Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening … related

1 CVE 12 MITREs 1 Malware 2 Observables 1 APT
SystemBC – Bringing the Noise related

13 MITREs 9 Malwares 158 Observables
An Analysis of the AMOS Stealer Campaign Targeting … related

9 MITREs
CTI Analysis: Malicious Email Campaign related

19 MITREs 1 Malware 15 Observables 1 APT
Analyzing LAMEHUG related

13 MITREs 1 Malware 1 APT
Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos … related

11 MITREs 1 Malware 5 Observables
The Espionage Toolkit: A Closer Look at its … related

16 MITREs 7 Malwares 1 APT
APT37 - RokRat related

21 MITREs 1 Malware 9 Observables 1 APT
Infostealer Campaign against ISPs related

18 MITREs 5 Malwares
Lumma Stealer Malware Thrives as Unique Patterns Uncovered … related

17 MITREs 2 Malwares

← Previous

Page / 4

13–24 of 41

Vulnerabilities (CVE) (37)

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2019-6693 KEV targets

Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup …

Published: 25/06/2025
Modified: 21/12/2025

CVE-2021-1675 KEV targets

Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2026-35616 KEV targets

9.8 Critical

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands …

Attack vector: NETWORK
Complexity: LOW
Published: 04/04/2026
Modified: 09/04/2026

CWE-284 Received

CVE-2020-1380 KEV targets

7.8 High

Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user.

Attack vector: LOCAL
Published: 03/11/2021
Modified: 26/02/2026

CVE-2024-47575 KEV targets

9.8 Critical

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager …

Attack vector: Network
Published: 23/10/2024
Modified: 21/12/2025

Analyzed

CVE-2026-0257 KEV targets

4.7 Medium

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions …

Attack vector: NETWORK
Complexity: LOW
Published: 13/05/2026
Modified: 10/06/2026

CWE-565 Awaiting Analysis

CVE-2022-40684 KEV targets

9.8 Critical

Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative …

Attack vector: Network
Published: 11/10/2022
Modified: 14/01/2026

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2018-20250 KEV targets

WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution

Published: 15/02/2022
Modified: 02/06/2026

← Previous

Page / 4

13–24 of 37

Traffic Duplication subtechnique-of

MITRE

Tool (1)

ShimRatReporter uses

The MITRE Corporation Confidence 100

[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as…

Campaign (1)

ArcaneDoor uses

Contact About Legal notice Privacy policy Terms of use

T1020: T1020

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (50)

Malware (73)

Reports (41)

Vulnerabilities (CVE) (37)

Attack patterns (MITRE) (1)

Tool (1)

Campaign (1)