Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0397: Automated Exfiltration Detection Strategy

Automated exfiltration detection matters because it focuses defenders on data leaving the organization after collection has already occurred. For executive...

EnterpriseDET0397Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Automated exfiltration detection matters because it focuses defenders on data leaving the organization after collection has already occurred. For executives and security leaders, the practical value is validating whether the SOC can recognize repeated or scripted outbound data movement before it becomes a larger business, legal, or operational incident. The ATT&CK object itself has sparse detail, but its relationship to Automated Exfiltration (T1020) makes this a data-loss and incident-response readiness concern across Linux, macOS, Windows, and network device environments where relevant.

Executive priority

Treat this as a control-validation topic for business-critical data protection and incident decision-making. Leaders should ask whether high-value data stores, endpoints, and network egress paths produce enough evidence to identify automated outbound transfer patterns, and whether incident responders have clear escalation criteria when suspected exfiltration is observed. This can support audit and compliance evidence by showing that monitoring is not limited to malware alerts, but also includes suspicious data movement behavior.

Technical view

The supplied detection strategy has no official detection text or platform list, so implementation should be anchored to its relationship with T1020 Automated Exfiltration under the exfiltration tactic. SOC and detection engineering teams should validate telemetry from systems and network paths that could show repeated, scheduled, scripted, or high-volume outbound transfers after collection activity. Because T1020 may involve other exfiltration techniques such as exfiltration over C2 channels or alternative protocols, detection logic should not depend on a single protocol or tool signature.

Likely telemetry

  • Network flow and proxy logs showing outbound volume, frequency, destination, and protocol patterns
  • Endpoint process execution and command/script activity associated with file transfer or automation
  • File access and staging indicators for sensitive documents prior to outbound movement
  • DNS and destination reputation/context for external endpoints receiving data
  • Authentication and host context to identify which user, device, or service account initiated transfer activity

Detection direction

  • Validate whether detections can distinguish normal backup, synchronization, software update, and business file-transfer activity from unusual automated outbound transfer patterns.
  • Tune analytics around baselines for data volume, transfer cadence, destination novelty, and source system sensitivity rather than relying only on known-bad indicators.
  • Correlate outbound transfer activity with prior collection or file-staging signals when available to improve confidence and reduce false positives.
  • Check for blind spots in encrypted traffic, unmanaged endpoints, network devices, direct-to-internet paths, and protocols not inspected by standard proxy controls.
  • Use the related T1020 context to ensure coverage is considered across Linux, macOS, Windows, and network device telemetry where those platforms exist in the environment.

Mitigation priorities

  • Prioritize visibility first: confirm logging for endpoint activity, sensitive data access, and outbound network movement is collected and retained for investigation.
  • Reduce unnecessary egress paths and enforce controlled outbound routes where practical so automated exfiltration has fewer unmonitored channels.
  • Apply least privilege and access governance around sensitive data repositories to limit what can be gathered before exfiltration.
  • Define incident-response playbooks for suspected automated exfiltration, including containment, legal/compliance notification decision points, and evidence preservation.
  • Use detection validation exercises to prove that expected telemetry and escalation workflows work in the local environment.
Analyst notes and limits

This take is based on DET0397 and its stated relationship detecting T1020 Automated Exfiltration. The detection strategy object does not provide official descriptive or detection guidance, so the recommended direction is intentionally framed as validation questions and telemetry priorities rather than a specific analytic rule.

ATT&CK fields supplied for DET0397 do not specify platforms, tactics, labels, aliases, official description, or official detection content. Platform and tactic context comes only from the related T1020 technique. Local architecture, data classification, egress design, and logging coverage are required to determine actual detection feasibility.

Official MITRE ATT&CK definition

Automated Exfiltration Detection Strategy

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1020 Automated Exfiltration This object detects Automated Exfiltration.
Relationship explorer

All related ATT&CK context

detects · Technique T1020: Automated Exfiltration Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dd8ab23d487c44bc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dd8ab23d487c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0397
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use