Esc
Scheduled Transfer - T1029

(ATT&CK® Technique)
Definition

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1029["Scheduled Transfer"] --> |produces| InternetNetworkTraffic["Internet Network Traffic"]; class T1029 OffensiveTechniqueNode;
        class InternetNetworkTraffic ArtifactNode; click InternetNetworkTraffic href "/dao/artifact/d3f:InternetNetworkTraffic";
        click T1029 href "/offensive-technique/attack/T1029/"; click InternetNetworkTraffic href "/dao/artifact/d3f:InternetNetworkTraffic";             PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1029["Scheduled Transfer"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1029["Scheduled Transfer"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1029["Scheduled Transfer"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1029["Scheduled Transfer"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";                                     NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1029["Scheduled Transfer"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";                  UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1029["Scheduled Transfer"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";              Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1029["Scheduled Transfer"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling";  NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | InternetNetworkTraffic["Internet Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1029["Scheduled Transfer"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";
json