ID | Name |
---|---|
T1020.001 | Traffic Duplication |
Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.
When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.
ID | Name | Description |
---|---|---|
S0438 | Attor |
Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server.[1] |
S0050 | CosmicDuke |
CosmicDuke exfiltrates collected files automatically over FTP to remote servers.[2] |
S0538 | Crutch |
Crutch has automatically exfiltrated stolen files to Dropbox.[3] |
S0600 | Doki |
Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL.[4] |
S0377 | Ebury |
Ebury can automatically exfiltrate gathered SSH credentials.[5] |
G0101 | Frankenstein |
Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2.[6] |
G0047 | Gamaredon Group |
Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.[7] |
G0072 | Honeybee |
Honeybee performs data exfiltration is accomplished through the following command-line command: |
G0004 | Ke3chang |
Ke3chang has performed frequent and scheduled data exfiltration from compromised networks.[9] |
S0395 | LightNeuron |
LightNeuron can be configured to automatically exfiltrate files under a specified directory.[10] |
S0409 | Machete |
Machete’s collected files are exfiltrated automatically to remote servers.[11] |
S0643 | Peppy |
Peppy has the ability to automatically exfiltrate files and keylogs.[12] |
S0090 | Rover |
Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.[13] |
S0445 | ShimRatReporter |
ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2.[14] |
G0121 | Sidewinder |
Sidewinder has configured tools to automatically send collected files to attacker controlled servers.[15] |
S0491 | StrongPity |
StrongPity can automatically exfiltrate collected documents to the C2 server.[16][17] |
S0467 | TajMahal |
TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2.[18] |
S0131 | TINYTYPHON |
When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.[19] |
G0081 | Tropic Trooper |
Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.[20] |
S0136 | USBStealer |
USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. [21] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Access |
DS0029 | Network Traffic | Network Connection Creation |
Network Traffic Content | ||
Network Traffic Flow | ||
DS0012 | Script | Script Execution |
Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.