Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel or Exfiltration Over Alternative Protocol.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1029 | Scheduled Transfer |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1029 | Scheduled Transfer |
Comments
This diagnostic statement protects against Scheduled Transfer through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1029 | Scheduled Transfer | |
| CM-06 | Configuration Settings | mitigates | T1029 | Scheduled Transfer | |
| SI-03 | Malicious Code Protection | mitigates | T1029 | Scheduled Transfer | |
| CM-02 | Baseline Configuration | mitigates | T1029 | Scheduled Transfer | |
| SI-04 | System Monitoring | mitigates | T1029 | Scheduled Transfer | |
| AC-04 | Information Flow Enforcement | mitigates | T1029 | Scheduled Transfer | |
| SC-07 | Boundary Protection | mitigates | T1029 | Scheduled Transfer |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1029 | Scheduled Transfer | |
| action.hacking.vector.Command shell | Remote shell | related-to | T1029 | Scheduled Transfer | |
| action.malware.variety.Export data | Export data to another site or system | related-to | T1029 | Scheduled Transfer | |
| attribute.confidentiality.data_disclosure | None | related-to | T1029 | Scheduled Transfer |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1029 | Scheduled Transfer |
Comments
The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.
Behavior:EC2/TrafficVolumeUnusual
Accuracy and Coverage is unknown, as this finding flags traffic volume that differs from a baseline.
References
|