Keypoints
- Adversaries schedule data transfers to match normal traffic patterns and reduce detection risk.
- Scheduled exfiltration often uses existing tools or scripts to automate periodic transfers.
- It commonly combines with exfiltration over C2 channels or nonstandard protocols.
- Monitoring time-based connection patterns reveals recurring suspicious activity.
- Correlation of file access and outbound connections helps identify scheduled leaks.
Description:
- Think of scheduled transfer like a thief who only breaks in during the townβs busy market hours so their actions blend with the crowd and go unnoticed.
- Adversaries configure automated tasks or cron-like schedules to move data at set times or intervals, enabling stealthy, repeated exfiltration that blends with normal activity and bypasses simple anomaly detection.
Detection:
- Monitor file access and process timelines to detect periodic read patterns followed by outbound connections using endpoint telemetry and EDR tools.
- Inspect network connection creation logs and flow data for repeated connections to the same external IP/host at consistent times of day across multiple days.
- Use scheduled task and cron job inventories to identify unknown or modified recurring jobs; compare to known baselines and change-management records.
- Alert on scripts, unrecognized binaries, or system utilities that traverse many files and then initiate outbound traffic; validate with process lineage analysis.
- Leverage IDS/IPS and proxy logs to spot exfiltration over uncommon protocols or ports used on a schedule; tune signatures to reduce false positives.
- Correlate DNS request patterns and certificate usage for recurring lookups or TLS handshakes tied to scheduled transfer windows.
- Apply time-series anomaly detection and baselining to flag consistent time-of-day deviations; investigate staged alerts with threat hunting and retrospective log review.
Tactics:
Exfiltration
Platforms:
Linux, Windows, macOS
Data Sources:
Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow
Relationship Citations:
(Citation: NTT Security Flagpro new December 2021),(Citation: Securelist ShadowPad Aug 2017),(Citation: PTSecurity Higaisa 2020),(Citation: ESET Gelsemium June 2021),(Citation: ESET Machete July 2019),(Citation: FOX-IT May 2016 Mofang),(Citation: cobaltstrike manual),(Citation: Kaspersky ToddyCat June 2022),(Citation: ESET ComRAT May 2020),(Citation: ESET Sednit Part 2),(Citation: Kaspersky Adwind Feb 2016),(Citation: Talos TinyTurla September 2021),(Citation: Unit 42 Kazuar May 2017),(Citation: Microsoft PLATINUM April 2016),(Citation: FireEye MuddyWater Mar 2018),(Citation: ClearSky Siamesekitten August 2021),(Citation: ESET LightNeuron May 2019),(Citation: Symantec Linfo May 2012),(Citation: University of Birmingham C2)
Read More: https://attack.mitre.org/techniques/T1029