title: Automated Exfiltration (T1020)
id: df00tech-t1020
status: experimental
description: "Adversaries may exfiltrate data through the use of automated processing after being gathered during collection. Automated exfiltration commonly involves scripted or programmatic transfer of collected files to attacker-controlled infrastructure on a schedule or triggered basis. This technique is frequently combined with T1041 (Exfiltration Over C2 Channel) or T1048 (Exfiltration Over Alternative Protocol) to move data out of the network. Real-world examples include StrongPity automatically uploading collected documents, Rover scanning local drives on a 60-minute cycle, Raccoon Stealer acting on received configuration files, and Ke3chang performing frequent scheduled exfiltration from compromised networks."
references:
  - https://attack.mitre.org/techniques/T1020/
  - https://df00tech.com/detections/T1020
author: df00tech
date: 2026/04/13
tags:
  - attack.t1020
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup software agents (Veeam, Acronis, Windows Server Backup) running scheduled backup jobs that compress and transfer files to remote storage"
  - "Cloud sync clients (OneDrive sync engine, Dropbox, Google Drive File Stream) automatically uploading files in monitored user directories"
  - "Log and telemetry collection agents (Splunk Universal Forwarder, Filebeat, NXLog) that regularly collect and ship log files to SIEM infrastructure"
  - "IT automation tools (Ansible, SCCM) that push collected inventory or configuration data back to management servers via scripted transfer"
  - Developer CI/CD pipelines that use curl or similar tools to upload build artifacts or test results to artifact repositories
level: high