T1020: T1020

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1020
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Automated Exfiltration

Platforms

windows macos linux Network Devices

Description

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

ESET Gamaredon June 2020
mitre-attack (T1020)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (50)

CozyDuke uses IRON RITUALIRON HEMLOCK

The MITRE Corporation Confidence 100

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…

First seen 01/01/1970 · Last seen 16/11/5138 ·
EVALUSION uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GoldFactory uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Black Basta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
koneko uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RedCurl uses

The MITRE Corporation Confidence 100

[RedCurl](https://attack.mitre.org/groups/G1039) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon Group uses IRON TILDENPrimitive Bear

The MITRE Corporation Confidence 100

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Nomad Leopard uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Runningcrab uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ke3chang uses APT15Mirage

The MITRE Corporation Confidence 100

[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
OilRig uses COBALT GYPSYIRN2

The MITRE Corporation Confidence 100

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 50

PureHVNC uses

Family
Kiron uses

Family
GODZILLA uses

Family
LameHug uses

Family
IcedID uses

Family
TrojanSpy uses

Family
COBEACON uses

Family
Lumma Stealer uses

Family
Hannotog uses
sysProcUpdate uses

Family
BlackCat uses
Rhadamanthys uses

Family

← Previous

Page / 7

1–12 of 73

Detecting the Klue supply chain attack in Salesforce … related

AlienVault Confidence 100 13 MITREs 3 IOCs 3 Observables 1 APT
Affidavit in Support of Application for Criminal Complaint related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps … related

2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's … related

AlienVault Confidence 100 24 MITREs 2 Malwares 13 IOCs 13 Observables
AMOS Stealer delivered via Cursor AI agent session related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
Threat Actors Leverage Claude Code Leak as Social … related

AlienVault Confidence 100 20 MITREs 3 Malwares 10 IOCs 10 Observables
New Malware Targets Users of Cobra DocGuard Software related

20 MITREs 3 Malwares 7 Observables 1 APT
Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government … related

14 MITREs 1 Malware 5 Observables 1 APT
Analyzing the MonetaStealer macOS Threat related

1 CVE 10 MITREs 1 Malware 4 Observables
Analyzing React2Shell Threat Actors related

10 CVEs 16 MITREs 2 Malwares 9 Observables
The Tsundere botnet uses the Ethereum blockchain to … related

20 MITREs 2 Malwares 21 Observables 1 APT
EVALUSION Campaign Delivers Amatera Stealer and NetSupport... related

16 MITREs 3 Malwares 1 Observable 1 APT

← Previous

Page / 4

1–12 of 40

Vulnerabilities (CVE) (37)

CVE-2022-42475 KEV targets

9.8 Critical

Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …

Attack vector: Network
Published: 13/12/2022
Modified: 20/12/2025

CVE-2025-59287 KEV targets

9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 24/10/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2023-34362 KEV targets

9.8 Critical

Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. …

Attack vector: Network
Published: 02/06/2023
Modified: 21/12/2025

CVE-2024-4577 KEV targets

9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector: Network
Published: 12/06/2024
Modified: 21/12/2025

Received

CVE-2025-26633 KEV targets

7.0 High

Microsoft Windows Management Console (MMC) contains an improper neutralization vulnerability that allows an unauthorized attacker to bypass a security feature locally.

Attack vector: Local
Published: 11/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2022-47945 targets

9.8 Critical

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated …

Attack vector: NETWORK
Published: 23/12/2022
Modified: 19/01/2026

CVE-2023-26360 KEV targets

8.6 High

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 15/03/2023
Modified: 21/12/2025

CVE-2019-9082 KEV targets

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2022-22947 KEV targets

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

Published: 16/05/2022
Modified: 20/12/2025

CVE-2025-24277 targets

A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Ventura …

Published: 31/03/2025
Modified: 01/04/2025

Awaiting Analysis

CVE-2022-24847 targets

7.2 High

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security …

Attack vector: NETWORK
Published: 14/04/2022
Modified: 21/12/2025

CVE-2023-20269 KEV targets

5.0 Medium

Cisco Adaptive Security Appliance and Firepower Threat Defense contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to conduct …

Attack vector: Network
Published: 13/09/2023
Modified: 21/12/2025

← Previous

Page / 4

25–36 of 37

Traffic Duplication subtechnique-of

MITRE

Tool (1)

ShimRatReporter uses

The MITRE Corporation Confidence 100

[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as…

Campaign (1)

ArcaneDoor uses

Contact About Legal notice Privacy policy Terms of use

T1020: T1020

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (50)

Malware (73)

Reports (40)

Vulnerabilities (CVE) (37)

Attack patterns (MITRE) (1)

Tool (1)

Campaign (1)