DET0399: Detection Strategy for Scheduled Transfer and Recurrent Exfiltration Patterns
DET0399 is a detection strategy tied to Scheduled Transfer (T1029): adversaries timing or repeating exfiltration so outbound movement looks like normal bus...
Analyst context for executives and security teams
DET0399 is a detection strategy tied to Scheduled Transfer (T1029): adversaries timing or repeating exfiltration so outbound movement looks like normal business traffic. The business value is not in spotting a single transfer, but in proving whether the organization can recognize recurring, timed, or interval-based data movement patterns before they become an incident-response and disclosure problem.
Executive priority
Prioritize this as an exfiltration-readiness question: do security teams have enough egress visibility, baseline knowledge, and investigation process to distinguish scheduled business transfers from suspicious recurrent outbound data movement? This matters for operational resilience, data-loss response, audit evidence around monitoring, and prioritizing controls on systems that routinely move sensitive data.
Technical view
Because the detection strategy object has no official description or detection text, teams should validate coverage against the related ATT&CK technique T1029, Scheduled Transfer, in the enterprise domain and exfiltration tactic. Focus on Linux, macOS, and Windows environments where the related technique applies. SOC and detection engineering should test whether analytics can identify repeated outbound transfers by time of day, interval, destination, protocol, volume, account, host, and process context, especially where other exfiltration paths such as C2-channel or alternative-protocol transfer may be involved.
Likely telemetry
- Network flow, firewall, proxy, VPN, and secure web gateway logs showing outbound destinations, timing, protocol, and byte counts
- DNS logs for repeated resolution patterns associated with recurring outbound transfers
- Endpoint process and command execution telemetry that can link transfer activity to a host, user, or scheduled mechanism
- Operating system scheduled job/task telemetry where available on Linux, macOS, and Windows
- Data movement logs from file transfer services, cloud storage gateways, or other sanctioned egress paths if present in the local environment
Detection direction
- Baseline normal scheduled business transfers first; otherwise recurring backups, replication, software updates, and partner integrations can create high false-positive volume.
- Look for periodicity and consistency: repeated outbound sessions at similar times or intervals, especially with unusual destinations, protocols, byte counts, accounts, or hosts.
- Correlate network observations with endpoint and identity context so analysts can determine whether the transfer was expected, authorized, and tied to a known business process.
- Tune detections by asset criticality and data sensitivity; recurrent transfers from repositories or high-value systems should receive different triage priority than routine low-risk traffic.
- Validate blind spots in encrypted traffic, direct-to-cloud transfers, unmanaged endpoints, and networks where only summary logs are retained.
Mitigation priorities
- Inventory and document legitimate scheduled transfers, owners, destinations, and expected volumes so monitoring has an approved baseline.
- Strengthen egress governance for sensitive systems: restrict unnecessary outbound paths and require approved destinations where feasible.
- Ensure logging retention and time synchronization support pattern analysis across network, endpoint, and identity sources.
- Apply least privilege to users, service accounts, and workloads that can initiate recurring data movement.
- Create incident-response playbooks for recurrent outbound transfer alerts, including business-owner validation, containment decision points, and evidence preservation.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy, DET0399, and only states that it detects T1029 Scheduled Transfer. The related technique describes adversaries scheduling exfiltration at certain times or intervals to blend with normal activity or availability, with other exfiltration techniques likely involved for the actual transfer.
Official description, official detection text, platforms, and tactics are not specified on the DET0399 object itself. Recommendations therefore rely on the supplied relationship to T1029 and must be validated against local architecture, sanctioned data-transfer workflows, available telemetry, and retention limits.
Detection Strategy for Scheduled Transfer and Recurrent Exfiltration Patterns
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1029 | Scheduled Transfer | This object detects Scheduled Transfer. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 13af3752384d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0399Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.