Description
Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel or Exfiltration Over Alternative Protocol.
Platforms
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be di
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes.(Ci... |
Associated Software (17)
| ID | Name | Type | Context |
|---|---|---|---|
| S0283 | jRAT | Malware | [jRAT](https://attack.mitre.org/software/S0283) can be configured to reconnect at certain intervals.(Citation: Kaspersky Adwind Feb 2016) |
| S0696 | Flagpro | Malware | [Flagpro](https://attack.mitre.org/software/S0696) has the ability to wait for a specified time interval between communicating with and executing comm... |
| S1019 | Shark | Malware | [Shark](https://attack.mitre.org/software/S1019) can pause C2 communications for a specified time.(Citation: ClearSky Siamesekitten August 2021) |
| S0395 | LightNeuron | Malware | [LightNeuron](https://attack.mitre.org/software/S0395) can be configured to exfiltrate data during nighttime or working hours.(Citation: ESET LightNeu... |
| S0223 | POWERSTATS | Malware | [POWERSTATS](https://attack.mitre.org/software/S0223) can sleep for a given number of seconds.(Citation: FireEye MuddyWater Mar 2018) |
| S0200 | Dipsind | Malware | [Dipsind](https://attack.mitre.org/software/S0200) can be configured to only run during normal working hours, which would make its communications hard... |
| S0126 | ComRAT | Malware | [ComRAT](https://attack.mitre.org/software/S0126) has been programmed to sleep outside local business hours (9 to 5, Monday to Friday).(Citation: ESET... |
| S0045 | ADVSTORESHELL | Malware | [ADVSTORESHELL](https://attack.mitre.org/software/S0045) collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.(Citat... |
| S0211 | Linfo | Malware | [Linfo](https://attack.mitre.org/software/S0211) creates a backdoor through which remote attackers can change the frequency at which compromised hosts... |
| S1100 | Ninja | Malware | [Ninja](https://attack.mitre.org/software/S1100) can configure its agent to work only in specific time frames.(Citation: Kaspersky ToddyCat June 2022) |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval.... |
| S0444 | ShimRat | Malware | [ShimRat](https://attack.mitre.org/software/S0444) can sleep when instructed to do so by the C2.(Citation: FOX-IT May 2016 Mofang) |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409) sends stolen data to the C2 server every 10 minutes.(Citation: ESET Machete July 2019) |
| S0596 | ShadowPad | Malware | [ShadowPad](https://attack.mitre.org/software/S0596) has sent data back to C2 every 8 hours.(Citation: Securelist ShadowPad Aug 2017) |
| S0668 | TinyTurla | Malware | [TinyTurla](https://attack.mitre.org/software/S0668) contacts its C2 based on a scheduled timing set in its configuration.(Citation: Talos TinyTurla S... |
| S0667 | Chrommme | Malware | [Chrommme](https://attack.mitre.org/software/S0667) can set itself to sleep before requesting a new command from C2.(Citation: ESET Gelsemium June 202... |
| S0265 | Kazuar | Malware | [Kazuar](https://attack.mitre.org/software/S0265) can sleep for a specific time and be set to communicate at specific intervals.(Citation: Unit 42 Kaz... |
Frequently Asked Questions
What is T1029 (Scheduled Transfer)?
T1029 is a MITRE ATT&CK technique named 'Scheduled Transfer'. It belongs to the Exfiltration tactic(s). Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. Whe...
How can T1029 be detected?
Detection of T1029 (Scheduled Transfer) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1029?
There are 1 documented mitigations for T1029. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1029?
Known threat groups using T1029 include: Higaisa.