Scheduled Transfer

Information

• Name: Scheduled Transfer

• ID: T1029

• Tactics: TA0010

Introduction

Scheduled Transfer (T1029) is a technique categorized under the MITRE ATT&CK framework within the Command and Control tactic. It involves adversaries automating the transfer of data or commands between compromised systems and attacker-controlled infrastructure at regular intervals. This technique helps adversaries maintain persistence, evade detection, and reliably exfiltrate sensitive data over time.

Deep Dive Into Technique

Scheduled Transfer is typically executed through automated tasks or scripts that regularly transfer data or commands between compromised hosts and attacker-controlled servers. Attackers often leverage built-in system utilities, legitimate software, or custom scripts to accomplish scheduled transfers.

Common execution methods and mechanisms include:

• Scheduled Tasks/Jobs:

  • Windows Task Scheduler (schtasks)

  • Cron jobs on Linux/Unix systems (cron, crontab)

  • macOS Launch Agents or Daemons (launchd)

• Automated Scripts:

  • Batch or PowerShell scripts on Windows

  • Bash or Python scripts on Linux/Unix systems

  • Custom scripts utilizing network protocols such as HTTP, FTP, SMB, or SSH

• Cloud Storage Services:

  • Regularly uploading data to cloud storage providers (Dropbox, Google Drive, AWS S3, Azure Blob Storage)

Real-world procedures often involve:

• Periodic exfiltration of sensitive data (logs, credentials, documents)

• Regular polling for commands or updates from attacker infrastructure

• Scheduled beaconing to maintain persistence and avoid detection by blending into normal network traffic

When this Technique is Usually Used

Scheduled Transfer can appear across various attack scenarios and stages, including:

• Persistence Stage:

  • Maintaining long-term access by regularly communicating with attacker infrastructure

  • Periodically checking for new instructions or payloads

• Exfiltration Stage:

  • Automated, scheduled uploads of sensitive information to external servers

  • Regular transfers to cloud storage or file-sharing services to evade detection

• Command and Control Stage:

  • Scheduled beaconing to attacker-controlled servers for updates or tasking

  • Periodic polling to retrieve commands, tools, or payloads

Attack scenarios include:

• Advanced Persistent Threat (APT) campaigns targeting enterprises and governments

• Ransomware attacks regularly exfiltrating data to pressure victims into paying ransom

• Espionage operations consistently extracting intellectual property or sensitive information

How this Technique is Usually Detected

Detection of Scheduled Transfer involves monitoring for anomalous scheduled tasks, unusual network traffic patterns, and suspicious file transfers. Effective detection methods and tools include:

• Monitoring Scheduled Tasks:

  • Regular auditing of Windows Task Scheduler (schtasks /query)

  • Inspecting cron jobs (crontab -l) and launch agents/daemons on macOS (launchctl list)

• Network Traffic Analysis:

  • Network monitoring tools (Wireshark, Zeek, Suricata) to identify periodic, automated outbound connections

  • Security Information and Event Management (SIEM) solutions to correlate scheduled network events

• Endpoint Detection and Response (EDR):

  • Endpoint monitoring tools identifying unusual scripts or binaries executing at regular intervals

  • Behavioral analytics detecting automated data transfers or beaconing activity

• File Integrity Monitoring (FIM):

  • Detecting changes to scheduled tasks, scripts, or configuration files used for automation

Specific Indicators of Compromise (IoCs) include:

• Unrecognized scheduled tasks or cron jobs executing scripts or binaries

• Regular outbound connections to unusual IP addresses or domains

• Periodic data transfers to cloud storage or file-sharing services not authorized by the organization

• Presence of scripts or binaries designed to automate network transfers or beaconing

Why it is Important to Detect This Technique

Early detection of Scheduled Transfer is critical due to its potential impacts on an organization's security posture:

• Data Exfiltration:

  • Regularly transferring sensitive data to attacker-controlled infrastructure can result in severe data breaches, loss of intellectual property, or exposure of confidential information.

• Persistence and Long-Term Access:

  • Allows attackers to maintain continuous, covert access to compromised systems, increasing the risk of long-term espionage, sabotage, or further exploitation.

• Evasion and Stealth:

  • Automated, scheduled transfers are designed to blend into normal network traffic, making detection challenging without proactive monitoring.

• Operational and Financial Impact:

  • Undetected Scheduled Transfer can lead to significant operational disruptions, regulatory fines, reputational damage, and financial losses.

Early detection enables rapid response, containment, and remediation, minimizing the potential damage and preventing attackers from achieving their objectives.

Examples

Real-world examples demonstrating the use of Scheduled Transfer include:

• APT29 (Cozy Bear) Campaigns:

  • Utilized scheduled tasks and cron jobs to periodically exfiltrate sensitive data from compromised government and enterprise networks.

  • Scripts regularly transferred data via encrypted channels (e.g., HTTPS) to attacker-controlled infrastructure, evading detection and facilitating persistent access.

• FIN7 Cybercrime Group:

  • Leveraged scheduled tasks on compromised Windows systems to periodically upload stolen payment card data and credentials to attacker-controlled FTP servers.

  • Automation facilitated ongoing data theft and minimized manual intervention.

• DarkSide Ransomware:

  • Automated regular data exfiltration to cloud storage services before encrypting victim systems.

  • Scheduled transfers increased pressure on victims by threatening data leaks if ransom demands were not met.

• Operation Cloud Hopper (APT10):

  • Regularly used scheduled scripts to transfer sensitive intellectual property and credentials from managed service providers (MSPs) to attacker-controlled servers.

  • Periodic transfers enabled long-term espionage operations and extensive data theft.

Tools commonly used in these scenarios include:

• Native system utilities (schtasks, cron, launchd)

• Scripting languages (PowerShell, Python, Bash)

• Network protocols (HTTPS, FTP, SMB, SSH)

• Cloud storage services (AWS S3, Dropbox, Google Drive, Azure Blob Storage)

Impacts observed in these examples:

• Massive data breaches involving sensitive information, intellectual property, and financial data

• Long-term persistence and covert espionage activities

• Significant operational disruptions, regulatory penalties, and reputational damage