Scheduled Transfer

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.

When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel or Exfiltration Over Alternative Protocol.

ID: T1029
Sub-techniques:  No sub-techniques
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Version: 1.1
Created: 31 May 2017
Last Modified: 28 March 2020

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL

ADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.[1]

S0667 Chrommme

Chrommme can set itself to sleep before requesting a new command from C2.[2]

S0154 Cobalt Strike

Cobalt Strike can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval.[3]

S0126 ComRAT

ComRAT has been programmed to sleep outside local business hours (9 to 5, Monday to Friday).[4]

S0200 Dipsind

Dipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic.[5]

S0696 Flagpro

Flagpro has the ability to wait for a specified time interval between communicating with and executing commands from C2.[6]

G0126 Higaisa

Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes.[7]

S0283 jRAT

jRAT can be configured to reconnect at certain intervals.[8]

S0265 Kazuar

Kazuar can sleep for a specific time and be set to communicate at specific intervals.[9]

S0395 LightNeuron

LightNeuron can be configured to exfiltrate data during nighttime or working hours.[10]

S0211 Linfo

Linfo creates a backdoor through which remote attackers can change the frequency at which compromised hosts contact remote C2 infrastructure.[11]

S0409 Machete

Machete sends stolen data to the C2 server every 10 minutes.[12]

S0223 POWERSTATS

POWERSTATS can sleep for a given number of seconds.[13]

S0596 ShadowPad

ShadowPad has sent data back to C2 every 8 hours.[14]

S1019 Shark

Shark can pause C2 communications for a specified time.[15]

S0444 ShimRat

ShimRat can sleep when instructed to do so by the C2.[16]

S0668 TinyTurla

TinyTurla contacts its C2 based on a scheduled timing set in its configuration.[17]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. [18]

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Network Traffic Flow

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

References