Skip to content

DET0397 Automated Exfiltration Detection Strategy

Item Value
ID DET0397
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1020 (Automated Exfiltration)

Analytics

Windows

AN1113

Detection of automated tools or scripts periodically transmitting data to external destinations using scheduled tasks or background processes.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
TimeWindow Used to detect repeated exfil activity over intervals (e.g., every 5 minutes).
DestinationIP Can be tuned to filter known internal or trusted destinations.

Linux

AN1114

Background scripts (e.g., via cron) or daemons transmitting data repeatedly to remote IPs or URLs.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Connection Creation (DC0082) NSM:Flow Outbound Connections
Mutable Elements
Field Description
CronJobInterval Tunable time range for recurring tasks seen creating outbound connections.
UserContext Tunable for scope — service accounts vs user accounts.

macOS

AN1115

Observation of LaunchAgents or LaunchDaemons establishing periodic external connections indicative of automated data transfer.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process: exec
Network Connection Creation (DC0082) macos:unifiedlog network
Scheduled Job Creation (DC0001) macos:cron cron/launchd
Mutable Elements
Field Description
LaunchInterval Frequency of task recurrence linked to external communication.
DestinationPort Port number used for detection filtering.