T1020 Microsoft Sentinel · KQL

Detect Automated Exfiltration in Microsoft Sentinel

Adversaries may exfiltrate data through the use of automated processing after being gathered during collection. Automated exfiltration commonly involves scripted or programmatic transfer of collected files to attacker-controlled infrastructure on a schedule or triggered basis. This technique is frequently combined with T1041 (Exfiltration Over C2 Channel) or T1048 (Exfiltration Over Alternative Protocol) to move data out of the network. Real-world examples include StrongPity automatically uploading collected documents, Rover scanning local drives on a 60-minute cycle, Raccoon Stealer acting on received configuration files, and Ke3chang performing frequent scheduled exfiltration from compromised networks.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1020 Automated Exfiltration
Canonical reference
https://attack.mitre.org/techniques/T1020/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Branch 1: Scripting engines performing bulk file enumeration followed by network activity
let ExfilProcesses = dynamic(["powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe", "cmd.exe"]);
let TransferTools = dynamic(["curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "ftp.exe", "sftp.exe", "scp.exe", "robocopy.exe"]);
let ArchiveTools = dynamic(["7z.exe", "7za.exe", "winrar.exe", "rar.exe", "zip.exe", "tar.exe"]);
let SensitivePaths = dynamic(["\\Documents\\", "\\Desktop\\", "\\Downloads\\", "\\AppData\\", "\\Users\\", "\\ProgramData\\", "\\temp\\", "\\tmp\\"]);
// Detect scripting engines with exfil-relevant command patterns
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ExfilProcesses)
| where ProcessCommandLine has_any ([
    // PowerShell upload/transfer patterns
    "UploadFile", "UploadData", "UploadString",
    "Invoke-WebRequest", "Invoke-RestMethod",
    "Net.WebClient", "Net.FtpWebRequest",
    "Start-BitsTransfer",
    // Recursive file collection patterns
    "Get-ChildItem", "gci ", "ls -r", "dir /s",
    "Get-Content", "[IO.File]::",
    // Archive creation
    "Compress-Archive", "-CompressionLevel",
    // Curl/wget in scripts
    "curl ", "wget ",
    // FTP commands in scripts
    "ftp -", "sftp "
  ])
| extend HasUpload = ProcessCommandLine has_any (["UploadFile", "UploadData", "UploadString", "Start-BitsTransfer", "Net.FtpWebRequest"])
| extend HasCollection = ProcessCommandLine has_any (["Get-ChildItem", "gci ", "dir /s", "Get-Content", "[IO.File]::", "Compress-Archive"])
| extend HasTransferTool = ProcessCommandLine has_any (["curl ", "wget ", "ftp -", "sftp "])
| extend SensitivePath = ProcessCommandLine has_any (SensitivePaths)
| where HasUpload or (HasCollection and HasTransferTool) or (HasCollection and SensitivePath)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         HasUpload, HasCollection, HasTransferTool, SensitivePath
| sort by Timestamp desc
| union (
// Branch 2: Known transfer tools spawned shortly after archive creation or file collection
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (TransferTools)
| where ProcessCommandLine has_any ([
    // Upload/POST indicators
    "-T ", "--upload-file", "-d @", "--data-binary @",
    "PUT ", "POST ",
    "ftp://", "sftp://", "ftps://",
    // Certutil exfil
    "-urlcache", "-encode", "-decode",
    // BitsAdmin upload
    "/transfer", "/upload",
    // SCP/SFTP file push
    "scp ", "-r "
  ])
| extend IsExternalDest = ProcessCommandLine matches regex @"(ftp|sftp|ftps|http|https)://(?!10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.)"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, IsExternalDest
| sort by Timestamp desc
)
| union (
// Branch 3: Archive tools creating archives in temp/staging paths — common exfil prep
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ArchiveTools)
| where ProcessCommandLine has_any (SensitivePaths)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where RemoteIPType == "Public"
    | project NetTimestamp=Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
  ) on DeviceName
| where NetTimestamp between (Timestamp .. (Timestamp + 5m))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, RemoteIP, RemotePort
| sort by Timestamp desc
)
high severity medium confidence

Detects automated exfiltration patterns across three branches: (1) scripting engines (PowerShell, Python, cmd) executing file collection combined with upload or transfer functions, (2) known file transfer tools (curl, certutil, bitsadmin, ftp) used with upload/PUT/POST flags targeting external destinations, and (3) archive tools (7-Zip, WinRAR, tar) compressing sensitive paths followed within 5 minutes by outbound network connections to public IPs. Uses real MDE/Defender table names: DeviceProcessEvents and DeviceNetworkEvents.

Data Sources

Process: Process CreationCommand: Command ExecutionNetwork Traffic: Network Connection CreationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceNetworkEvents

False Positives & Tuning

  • Backup software agents (Veeam, Acronis, Windows Server Backup) running scheduled backup jobs that compress and transfer files to remote storage
  • Cloud sync clients (OneDrive sync engine, Dropbox, Google Drive File Stream) automatically uploading files in monitored user directories
  • Log and telemetry collection agents (Splunk Universal Forwarder, Filebeat, NXLog) that regularly collect and ship log files to SIEM infrastructure
  • IT automation tools (Ansible, SCCM) that push collected inventory or configuration data back to management servers via scripted transfer
  • Developer CI/CD pipelines that use curl or similar tools to upload build artifacts or test results to artifact repositories
Download portable Sigma rule (.yml)

Other platforms for T1020

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Automated File Upload via Net.WebClient

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', 'Net.WebClient', 'UploadFile'. Sysmon Event ID 3: Network Connection attempts to 127.0.0.1:8443. PowerShell ScriptBlock Log Event ID 4104 with full script including file collection loop.

  2. Test 2Scheduled Automated Exfiltration via BitsAdmin Upload

    Expected signal: Windows Security Event ID 4698 (A scheduled task was created) with task name 'WindowsTelemetryCollect' and action 'bitsadmin /transfer exfil /upload'. Sysmon Event ID 1 for schtasks.exe process creation. Microsoft-Windows-TaskScheduler/Operational Event ID 106 (task registered). When task fires: Sysmon Event ID 1 for bitsadmin.exe with /upload flag in CommandLine.

  3. Test 3Python Script Recursive Collection and Staged Archive Upload

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'zipfile', 'os.walk', 'Documents', 'urllib.request', 'POST'. Sysmon Event ID 11: File Create for collect_df00tech.zip in %TEMP% directory. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080. DeviceFileEvents (MDE) will show the archive creation.

  4. Test 4Curl-Based Automated File Exfiltration Loop (Linux/macOS)

    Expected signal: Linux auditd: execve syscall events for bash and curl with full argument arrays. Syslog: process execution records. If Sysmon for Linux deployed: Event ID 1 (Process Create) with CommandLine containing 'find', '-name', 'curl', '-X POST', '-F file=@'. Network: connection attempts from curl to 127.0.0.1:9090. File access events for each file POSTed.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1020 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (1)

Related Techniques

T1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1029Scheduled TransferT1020.001Traffic DuplicationT1074Data StagedT1560Archive Collected DataT1005Data from Local SystemT1053.005Scheduled TaskT1567Exfiltration Over Web Service

Same Tactic: Exfiltration

Popular Detections