Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel or Exfiltration Over Alternative Protocol.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1029 | Scheduled Transfer |
| CA-7 | Continuous Monitoring | Protects | T1029 | Scheduled Transfer |
| CM-2 | Baseline Configuration | Protects | T1029 | Scheduled Transfer |
| CM-6 | Configuration Settings | Protects | T1029 | Scheduled Transfer |
| SC-7 | Boundary Protection | Protects | T1029 | Scheduled Transfer |
| SI-3 | Malicious Code Protection | Protects | T1029 | Scheduled Transfer |
| SI-4 | System Monitoring | Protects | T1029 | Scheduled Transfer |
| action.malware.variety.Export data | Export data to another site or system | related-to | T1029 | Scheduled Transfer |
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1029 | Scheduled Transfer |