T1020

Automated Exfiltration

Adversaries may exfiltrate data through the use of automated processing after being gathered during collection. Automated exfiltration commonly involves scripted or programmatic transfer of collected files to attacker-controlled infrastructure on a schedule or triggered basis. This technique is frequently combined with T1041 (Exfiltration Over C2 Channel) or T1048 (Exfiltration Over Alternative Protocol) to move data out of the network. Real-world examples include StrongPity automatically uploading collected documents, Rover scanning local drives on a 60-minute cycle, Raccoon Stealer acting on received configuration files, and Ke3chang performing frequent scheduled exfiltration from compromised networks.

Microsoft Sentinel / Defender

kusto

// Branch 1: Scripting engines performing bulk file enumeration followed by network activity
let ExfilProcesses = dynamic(["powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe", "cmd.exe"]);
let TransferTools = dynamic(["curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "ftp.exe", "sftp.exe", "scp.exe", "robocopy.exe"]);
let ArchiveTools = dynamic(["7z.exe", "7za.exe", "winrar.exe", "rar.exe", "zip.exe", "tar.exe"]);
let SensitivePaths = dynamic(["\\Documents\\", "\\Desktop\\", "\\Downloads\\", "\\AppData\\", "\\Users\\", "\\ProgramData\\", "\\temp\\", "\\tmp\\"]);
// Detect scripting engines with exfil-relevant command patterns
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ExfilProcesses)
| where ProcessCommandLine has_any ([
    // PowerShell upload/transfer patterns
    "UploadFile", "UploadData", "UploadString",
    "Invoke-WebRequest", "Invoke-RestMethod",
    "Net.WebClient", "Net.FtpWebRequest",
    "Start-BitsTransfer",
    // Recursive file collection patterns
    "Get-ChildItem", "gci ", "ls -r", "dir /s",
    "Get-Content", "[IO.File]::",
    // Archive creation
    "Compress-Archive", "-CompressionLevel",
    // Curl/wget in scripts
    "curl ", "wget ",
    // FTP commands in scripts
    "ftp -", "sftp "
  ])
| extend HasUpload = ProcessCommandLine has_any (["UploadFile", "UploadData", "UploadString", "Start-BitsTransfer", "Net.FtpWebRequest"])
| extend HasCollection = ProcessCommandLine has_any (["Get-ChildItem", "gci ", "dir /s", "Get-Content", "[IO.File]::", "Compress-Archive"])
| extend HasTransferTool = ProcessCommandLine has_any (["curl ", "wget ", "ftp -", "sftp "])
| extend SensitivePath = ProcessCommandLine has_any (SensitivePaths)
| where HasUpload or (HasCollection and HasTransferTool) or (HasCollection and SensitivePath)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         HasUpload, HasCollection, HasTransferTool, SensitivePath
| sort by Timestamp desc
| union (
// Branch 2: Known transfer tools spawned shortly after archive creation or file collection
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (TransferTools)
| where ProcessCommandLine has_any ([
    // Upload/POST indicators
    "-T ", "--upload-file", "-d @", "--data-binary @",
    "PUT ", "POST ",
    "ftp://", "sftp://", "ftps://",
    // Certutil exfil
    "-urlcache", "-encode", "-decode",
    // BitsAdmin upload
    "/transfer", "/upload",
    // SCP/SFTP file push
    "scp ", "-r "
  ])
| extend IsExternalDest = ProcessCommandLine matches regex @"(ftp|sftp|ftps|http|https)://(?!10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.)"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, IsExternalDest
| sort by Timestamp desc
)
| union (
// Branch 3: Archive tools creating archives in temp/staging paths — common exfil prep
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ArchiveTools)
| where ProcessCommandLine has_any (SensitivePaths)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where RemoteIPType == "Public"
    | project NetTimestamp=Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
  ) on DeviceName
| where NetTimestamp between (Timestamp .. (Timestamp + 5m))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, RemoteIP, RemotePort
| sort by Timestamp desc
)

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Backup software agents (Veeam, Acronis, Windows Server Backup) running scheduled backup jobs that compress and transfer files to remote storage
Cloud sync clients (OneDrive sync engine, Dropbox, Google Drive File Stream) automatically uploading files in monitored user directories
Log and telemetry collection agents (Splunk Universal Forwarder, Filebeat, NXLog) that regularly collect and ship log files to SIEM infrastructure
IT automation tools (Ansible, SCCM) that push collected inventory or configuration data back to management servers via scripted transfer
Developer CI/CD pipelines that use curl or similar tools to upload build artifacts or test results to artifact repositories

Splunk

spl

// Branch 1: Scripting engines with collection + upload patterns (Sysmon Process Create)
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\python.exe" OR Image="*\\python3.exe"
   OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\cmd.exe")
| eval cmdl=lower(CommandLine)
| eval HasUpload=if(match(cmdl,"(uploadfile|uploaddata|uploadstring|start-bitstransfer|net\.ftpwebrequest|invoke-webrequest.*put|invoke-restmethod.*put)"),1,0)
| eval HasCollection=if(match(cmdl,"(get-childitem|\bgci\b|dir\s+/s|get-content|\[io\.file\]::|compress-archive|-recurse)"),1,0)
| eval HasTransferTool=if(match(cmdl,"(curl\s|wget\s|ftp\s-|\bsftp\s)"),1,0)
| eval SensitivePath=if(match(cmdl,"(\\\\documents\\\\|\\\\desktop\\\\|\\\\downloads\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\temp\\\\)"),1,0)
| eval ExfilScore=HasUpload + HasCollection + HasTransferTool + SensitivePath
| where ExfilScore >= 2
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, HasUpload, HasCollection, HasTransferTool, SensitivePath, ExfilScore
| eval Branch="scripting_engine"
| append [
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\curl.exe" OR Image="*\\wget.exe" OR Image="*\\certutil.exe" OR Image="*\\bitsadmin.exe"
     OR Image="*\\ftp.exe" OR Image="*\\sftp.exe" OR Image="*\\scp.exe")
  | eval cmdl=lower(CommandLine)
  | eval IsUpload=if(match(cmdl,"(-t\s|--upload-file|\-d\s@|--data-binary\s@|\bput\b|\bpost\b|/transfer|/upload|ftp://|sftp://|ftps://)"),1,0)
  | eval IsExternal=if(match(CommandLine,"(ftp|sftp|ftps|http|https)://") AND NOT match(CommandLine,"(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|127\.)"),1,0)
  | where IsUpload=1
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsUpload, IsExternal
  | eval Branch="transfer_tool"
]
| append [
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\7z.exe" OR Image="*\\7za.exe" OR Image="*\\rar.exe" OR Image="*\\winrar.exe" OR Image="*\\tar.exe")
  | eval cmdl=lower(CommandLine)
  | eval HasSensitiveSrc=if(match(cmdl,"(\\\\documents|\\\\desktop|\\\\users|\\\\programdata|\\\\appdata)"),1,0)
  | where HasSensitiveSrc=1
  | eval ArchiveTime=_time
  | eval ArchiveHost=host
  | join type=inner host [
      search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
        NOT (DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="127.*")
      | eval NetTime=_time
      | table host, NetTime, DestinationIp, DestinationPort, Image
    ]
  | where (NetTime - ArchiveTime) >= 0 AND (NetTime - ArchiveTime) <= 300
  | table ArchiveTime, host, User, Image, CommandLine, DestinationIp, DestinationPort
  | eval Branch="archive_then_network"
]
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup software agents (Veeam, Acronis) that compress user directories and transfer archives to remote storage servers
Cloud storage sync clients (OneDrive, Dropbox, Box) that continuously monitor and upload modified files from user profile paths
Log shippers and monitoring agents (Splunk Universal Forwarder, Elastic Agent) running on schedule to collect and push log files
Developer tooling (Git LFS, artifact upload scripts) pushing build outputs to external repositories or package registries
Managed file transfer solutions (IBM Sterling, GoAnywhere) performing scheduled compliance-required data transfers

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   process.name in~ ("7z.exe", "7za.exe", "winrar.exe", "rar.exe", "tar.exe", "zip.exe") and
   (
     process.args like~ "*\\Documents\\*" or
     process.args like~ "*\\Desktop\\*" or
     process.args like~ "*\\Users\\*" or
     process.args like~ "*\\AppData\\*" or
     process.args like~ "*\\ProgramData\\*"
   )
  ]
  [network where event.type == "connection" and
   not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8") and
   network.direction == "egress"
  ]

/* Branch 2: Scripting engines with upload or recursive collection patterns */
until [process where event.type == "end"]

/* Standalone scripting engine detection */
any where event.category == "process" and event.type == "start" and
  process.name in~ ("powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe", "cmd.exe") and
  (
    (
      process.args like~ "*UploadFile*" or
      process.args like~ "*UploadData*" or
      process.args like~ "*Start-BitsTransfer*" or
      process.args like~ "*Net.FtpWebRequest*" or
      process.args like~ "*Invoke-WebRequest*"
    ) or
    (
      (process.args like~ "*Get-ChildItem*" or process.args like~ "*dir /s*" or process.args like~ "*Compress-Archive*") and
      (process.args like~ "*curl *" or process.args like~ "*wget *" or process.args like~ "*ftp -*")
    )
  )

high severity high confidence

Data Sources

Endpoint (Elastic Agent with Endpoint integration) Windows Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-*

False Positives

Legitimate backup software (Veeam, Acronis) that archives directories and uploads to cloud storage on a schedule
Developer tooling such as CI/CD pipelines that zip build artifacts and upload them to S3 or Azure Blob via curl/sftp
IT administrators using BITS transfers or robocopy with FTP for routine file distribution to external partners

IBM QRadar (AQL)

sql

/* Branch 1: Scripting engines with exfil-relevant command patterns */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Command") ILIKE '%uploadfile%' OR LOWER("Command") ILIKE '%uploaddata%' OR LOWER("Command") ILIKE '%start-bitstransfer%' THEN 1
    ELSE 0
  END AS has_upload,
  CASE
    WHEN LOWER("Command") ILIKE '%get-childitem%' OR LOWER("Command") ILIKE '%compress-archive%' OR LOWER("Command") ILIKE '%dir /s%' THEN 1
    ELSE 0
  END AS has_collection,
  CASE
    WHEN LOWER("Command") ILIKE '%curl %' OR LOWER("Command") ILIKE '%wget %' OR LOWER("Command") ILIKE '%ftp -%' THEN 1
    ELSE 0
  END AS has_transfer_tool
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 260, 352)
  AND (QIDNAME(qid) = 'Process Launch' OR "EventID" IN ('1', '4688'))
  AND (
    LOWER("Process Name") ILIKE '%powershell.exe%'
    OR LOWER("Process Name") ILIKE '%pwsh.exe%'
    OR LOWER("Process Name") ILIKE '%python.exe%'
    OR LOWER("Process Name") ILIKE '%wscript.exe%'
    OR LOWER("Process Name") ILIKE '%cscript.exe%'
    OR LOWER("Process Name") ILIKE '%cmd.exe%'
  )
  AND (
    (
      LOWER("Command") ILIKE '%uploadfile%'
      OR LOWER("Command") ILIKE '%uploaddata%'
      OR LOWER("Command") ILIKE '%start-bitstransfer%'
      OR LOWER("Command") ILIKE '%net.ftpwebrequest%'
    )
    OR (
      (
        LOWER("Command") ILIKE '%get-childitem%'
        OR LOWER("Command") ILIKE '%compress-archive%'
        OR LOWER("Command") ILIKE '%dir /s%'
      )
      AND (
        LOWER("Command") ILIKE '%curl %'
        OR LOWER("Command") ILIKE '%wget %'
        OR LOWER("Command") ILIKE '%ftp -%'
      )
    )
  )
  AND STARTTIME > NOW() - 86400000

UNION ALL

/* Branch 2: Transfer tools uploading to external destinations */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  0 AS has_upload,
  0 AS has_collection,
  1 AS has_transfer_tool
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 260, 352)
  AND (QIDNAME(qid) = 'Process Launch' OR "EventID" IN ('1', '4688'))
  AND (
    LOWER("Process Name") ILIKE '%curl.exe%'
    OR LOWER("Process Name") ILIKE '%wget.exe%'
    OR LOWER("Process Name") ILIKE '%certutil.exe%'
    OR LOWER("Process Name") ILIKE '%bitsadmin.exe%'
    OR LOWER("Process Name") ILIKE '%ftp.exe%'
    OR LOWER("Process Name") ILIKE '%scp.exe%'
    OR LOWER("Process Name") ILIKE '%sftp.exe%'
  )
  AND (
    LOWER("Command") ILIKE '%-t %'
    OR LOWER("Command") ILIKE '%--upload-file%'
    OR LOWER("Command") ILIKE '%-d @%'
    OR LOWER("Command") ILIKE '%/upload%'
    OR LOWER("Command") ILIKE '%ftp://%'
    OR LOWER("Command") ILIKE '%sftp://%'
  )
  AND STARTTIME > NOW() - 86400000
ORDER BY event_time DESC

high severity medium confidence

Data Sources

QRadar Windows Security Event log source QRadar Sysmon log source (Microsoft Windows Sysmon) Microsoft Windows log source type

Required Tables

events

False Positives

Automated patch management systems (WSUS, SCCM) that use BitsAdmin to download and upload update packages
Security tools like Carbon Black or CrowdStrike that use PowerShell cmdlets internally for telemetry uploads
Legitimate DevOps workflows where Jenkins or TeamCity pipelines invoke curl or scp to deploy artifacts to remote servers

Sumo Logic CSE

sql

// Branch 1: Scripting engines with upload or collection+transfer patterns
_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*
| where EventCode = 1 OR EventID = 1
| parse field=Image "*\\*" as image_dir, image_name
| where image_name in ("powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe", "cmd.exe")
| eval cmdl = toLowerCase(CommandLine)
| eval HasUpload = if(matches(cmdl, "(uploadfile|uploaddata|uploadstring|start-bitstransfer|net\.ftpwebrequest|invoke-webrequest)"), 1, 0)
| eval HasCollection = if(matches(cmdl, "(get-childitem|\bgci\b|dir\s/s|compress-archive|\[io\.file\]::|\-recurse)"), 1, 0)
| eval HasTransferTool = if(matches(cmdl, "(curl\s|wget\s|ftp\s-|\bsftp\s)"), 1, 0)
| eval SensitivePath = if(matches(cmdl, "(\\\\documents\\\\|\\\\desktop\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\temp\\\\)"), 1, 0)
| eval ExfilScore = HasUpload + HasCollection + HasTransferTool + SensitivePath
| where ExfilScore >= 2
| fields _messageTime, Computer, User, image_name, CommandLine, ParentImage, ParentCommandLine, HasUpload, HasCollection, HasTransferTool, SensitivePath, ExfilScore
| concat("scripting_engine") as Branch

// Branch 2: Transfer tools with upload-type arguments
| union [
  _sourceCategory=*windows*sysmon*
  | where EventCode = 1
  | parse field=Image "*\\*" as img_dir, img_name
  | where img_name in ("curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "ftp.exe", "sftp.exe", "scp.exe")
  | eval cmdl = toLowerCase(CommandLine)
  | eval IsUpload = if(matches(cmdl, "(-t\s|--upload-file|-d\s@|--data-binary\s@|/upload|/transfer|ftp://|sftp://|ftps://)"), 1, 0)
  | eval IsExternal = if(matches(CommandLine, "(ftp|sftp|http|https)://") and !matches(CommandLine, "(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.)"), 1, 0)
  | where IsUpload = 1
  | fields _messageTime, Computer, User, img_name, CommandLine, ParentImage, IsUpload, IsExternal
  | concat("transfer_tool") as Branch
]

// Branch 3: Archive + network correlation
| union [
  _sourceCategory=*windows*sysmon*
  | where EventCode = 1
  | parse field=Image "*\\*" as arch_dir, arch_name
  | where arch_name in ("7z.exe", "7za.exe", "rar.exe", "winrar.exe", "tar.exe", "zip.exe")
  | eval cmdl = toLowerCase(CommandLine)
  | eval HasSensitiveSrc = if(matches(cmdl, "(\\\\documents|\\\\desktop|\\\\users|\\\\appdata|\\\\programdata)"), 1, 0)
  | where HasSensitiveSrc = 1
  | eval ArchiveTime = _messageTime
  | timeslice 5m
  | fields Computer, User, arch_name, CommandLine, ArchiveTime, _timeslice
  | join Computer [
    _sourceCategory=*windows*sysmon*
    | where EventCode = 3
    | where !matches(DestinationIp, "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.)") 
    | fields Computer, DestinationIp, DestinationPort, _messageTime
  ]
  | where abs(_messageTime - ArchiveTime) <= 300
  | fields ArchiveTime, Computer, User, arch_name, CommandLine, DestinationIp, DestinationPort
  | concat("archive_then_network") as Branch
]
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Windows Sysmon source Windows Event Log source via Sumo Logic Installed Collector

Required Tables

Sysmon EventCode 1 (Process Create) Sysmon EventCode 3 (Network Connect)

False Positives

Automated cloud sync clients (OneDrive, Dropbox) that use PowerShell SDK calls to upload files from Documents or AppData directories
Security operations tooling (Tanium, BigFix) running scripted collections that zip diagnostic data and transmit to management infrastructure
Database backup jobs using Python scripts to archive and FTP database dumps to off-site storage per retention policy

Google Chronicle / SecOps

yaral

rule T1020_AutomatedExfiltration_ScriptingEngine {
  meta:
    author = "Detection Engineering"
    description = "Detects scripting engines performing automated file collection and exfiltration via upload APIs or transfer tools"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1020"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|python\.exe|python3\.exe|wscript\.exe|cscript\.exe|cmd\.exe)$/
    (
      re.regex($e.target.process.command_line, `(?i)(UploadFile|UploadData|UploadString|Start-BitsTransfer|Net\.FtpWebRequest|Invoke-WebRequest)`) or
      (
        re.regex($e.target.process.command_line, `(?i)(Get-ChildItem|Compress-Archive|dir\s/s|\[IO\.File\]::)`) and
        re.regex($e.target.process.command_line, `(?i)(curl\s|wget\s|ftp\s-|\ssftp\s)`)
      ) or
      (
        re.regex($e.target.process.command_line, `(?i)(Get-ChildItem|Compress-Archive|dir\s/s)`) and
        re.regex($e.target.process.command_line, `(?i)(\\Documents\\|\\Desktop\\|\\AppData\\|\\ProgramData\\)`)
      )
    )

  condition:
    $e
}

rule T1020_AutomatedExfiltration_TransferTool {
  meta:
    author = "Detection Engineering"
    description = "Detects known transfer utilities executing upload commands to external destinations — automated exfiltration indicator"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1020"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /(?i)(curl\.exe|wget\.exe|certutil\.exe|bitsadmin\.exe|ftp\.exe|sftp\.exe|scp\.exe)$/
    re.regex($e.target.process.command_line, `(?i)(-T\s|--upload-file|-d\s@|--data-binary\s@|/upload|/transfer|ftp://|sftp://|ftps://)`)
    not re.regex($e.target.process.command_line, `(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.)`)

  condition:
    $e
}

rule T1020_AutomatedExfiltration_ArchiveThenNetwork {
  meta:
    author = "Detection Engineering"
    description = "Detects archive creation from sensitive paths followed within 5 minutes by external network connection from same host"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1020"
    severity = "CRITICAL"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $archive.metadata.event_type = "PROCESS_LAUNCH"
    $archive.target.process.file.full_path = /(?i)(7z\.exe|7za\.exe|winrar\.exe|rar\.exe|zip\.exe|tar\.exe)$/
    re.regex($archive.target.process.command_line, `(?i)(\\Documents|\\Desktop|\\Users|\\AppData|\\ProgramData|\\temp)`)
    $archive.principal.hostname = $host

    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.principal.hostname = $host
    not re.regex($net.target.ip, `^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.)`)
    $net.metadata.event_timestamp.seconds > $archive.metadata.event_timestamp.seconds
    $net.metadata.event_timestamp.seconds < ($archive.metadata.event_timestamp.seconds + 300)

  condition:
    $archive and $net
}

high severity high confidence

Data Sources

Chronicle UDM events from Windows endpoints (Sysmon, MDE, Carbon Black) Chronicle network telemetry (NDR, firewall, proxy feeds)

Required Tables

UDM PROCESS_LAUNCH events UDM NETWORK_CONNECTION events

False Positives

Enterprise backup agents (Commvault, Veeam) that regularly compress user data directories and transmit to backup servers via FTP or SFTP
Software development workflows where automated test frameworks collect diagnostic archives from test machines and upload results to build servers
Log aggregation pipelines that use Python or PowerShell to bundle and ship log archives to external SIEM or analytics platforms

CrowdStrike LogScale (CQL)

cql

// Branch 1: Scripting engines with upload or collection+transfer command patterns
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|python\.exe|python3\.exe|wscript\.exe|cscript\.exe|cmd\.exe)$/
| CommandLine = /(?i)(UploadFile|UploadData|UploadString|Start-BitsTransfer|Net\.FtpWebRequest|Invoke-WebRequest|Invoke-RestMethod)/
  OR (CommandLine = /(?i)(Get-ChildItem|Compress-Archive|dir\s\/s|\[IO\.File\]::)/ AND CommandLine = /(?i)(curl\s|wget\s|ftp\s-|\ssftp\s)/)
  OR (CommandLine = /(?i)(Get-ChildItem|Compress-Archive)/ AND CommandLine = /(?i)(\\Documents\\|\\Desktop\\|\\AppData\\|\\ProgramData\\|\\temp\\)/)
| eval HasUpload = if(CommandLine = /(?i)(UploadFile|UploadData|Start-BitsTransfer|Net\.FtpWebRequest)/, "true", "false")
| eval HasCollection = if(CommandLine = /(?i)(Get-ChildItem|Compress-Archive|dir\s\/s)/, "true", "false")
| eval HasTransferTool = if(CommandLine = /(?i)(curl\s|wget\s|ftp\s-)/, "true", "false")
| eval SensitivePath = if(CommandLine = /(?i)(\\Documents|\\Desktop|\\AppData|\\ProgramData|\\temp)/, "true", "false")
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, HasUpload, HasCollection, HasTransferTool, SensitivePath])
| sort(timestamp, order=desc)

// Branch 2: Transfer utilities executing upload commands to external targets
| union {
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)(curl\.exe|wget\.exe|certutil\.exe|bitsadmin\.exe|ftp\.exe|sftp\.exe|scp\.exe)$/
  | CommandLine = /(?i)(-T\s|--upload-file|-d\s@|--data-binary\s@|\/upload|\/transfer|ftp:\/\/|sftp:\/\/|ftps:\/\/)/
  | CommandLine != /(?i)(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.)/
  | eval IsExternal = "true"
  | table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, IsExternal])
  | sort(timestamp, order=desc)
}

// Branch 3: Archive tools on sensitive paths correlated with external network connections
| union {
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)(7z\.exe|7za\.exe|winrar\.exe|rar\.exe|zip\.exe|tar\.exe)$/
  | CommandLine = /(?i)(\\Documents|\\Desktop|\\Users|\\AppData|\\ProgramData)/
  | ArchiveComputerName := ComputerName
  | ArchiveTime := timestamp
  | join({
      #event_simpleName=NetworkConnectIP4
      | RemoteAddressPrefix != /^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.)/
      | NetComputerName := ComputerName
      | NetTime := timestamp
    }, field=[ArchiveComputerName, NetComputerName], mode=inner)
  | TimeDelta := NetTime - ArchiveTime
  | TimeDelta >= 0
  | TimeDelta <= 300000
  | table([ArchiveTime, ComputerName, UserName, ImageFileName, CommandLine, RemoteAddress, RemotePort, TimeDelta])
  | sort(ArchiveTime, order=desc)
}

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint sensor (ProcessRollup2) CrowdStrike Falcon network telemetry (NetworkConnectIP4)

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

Managed endpoint backup clients that periodically archive user profile directories (Documents, AppData) and transmit compressed archives to cloud backup infrastructure
Software deployment pipelines where Python or PowerShell automation packages application builds from staging directories and uploads them via curl or SFTP to artifact repositories
IT monitoring agents that collect diagnostic bundles using certutil or PowerShell and upload them to vendor support portals on a scheduled basis

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1020 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Automated Exfiltration

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (1)

Same Tactic: Exfiltration

Popular Detections