Esc
Automated Exfiltration - T1020

(ATT&CK® Technique)
Subtechniques

Definition

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1020["Automated Exfiltration"] --> |produces| InternetNetworkTraffic["Internet Network Traffic"]; class T1020 OffensiveTechniqueNode;
        class InternetNetworkTraffic ArtifactNode; click InternetNetworkTraffic href "/dao/artifact/d3f:InternetNetworkTraffic";
        click T1020 href "/offensive-technique/attack/T1020/"; click InternetNetworkTraffic href "/dao/artifact/d3f:InternetNetworkTraffic";             UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1020["Automated Exfiltration"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";              NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1020["Automated Exfiltration"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1020["Automated Exfiltration"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1020["Automated Exfiltration"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | InternetNetworkTraffic["Internet Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1020["Automated Exfiltration"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";                                                     Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1020["Automated Exfiltration"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1020["Automated Exfiltration"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1020["Automated Exfiltration"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";
json