T1029: Scheduled Transfer
Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel or Exfiltration Over Alternative Protocol.
Analyst context for executives and security teams
Scheduled Transfer matters because exfiltration may be deliberately timed to look routine, occur during business hours, or wait for network availability. For leaders, the issue is not just whether data can leave the network, but whether monitoring can recognize recurring outbound transfer patterns across Linux, macOS, and Windows before they become an incident-response and disclosure problem.
Executive priority
Prioritize this as an exfiltration resilience question: can the organization prove it monitors outbound data movement over time, not only one-time spikes? This affects business continuity, incident decision-making, and compliance evidence because scheduled or interval-based transfers can evade reviews that only look for immediate large-volume anomalies. Network boundary prevention is the only supplied mitigation relationship, so leaders should ask whether intrusion detection/prevention, egress controls, and SOC workflows are aligned to recurring transfer behavior.
Technical view
ATT&CK lists this as an enterprise exfiltration technique for Linux, macOS, and Windows. MITRE does not provide technique-specific detection text, but the supplied relationship to DET0399 indicates a detection strategy focused on scheduled transfer and recurrent exfiltration patterns. SOC and detection teams should validate analytics that correlate outbound traffic volume, timing, destination, protocol, and host/user context across repeated intervals. Because the official description notes that other exfiltration methods may also apply, especially Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol, coverage should be tested alongside those exfiltration paths rather than treated as a standalone alert.
Likely telemetry
- Firewall, proxy, secure web gateway, IDS/IPS, and network boundary logs showing outbound connections and blocked/allowed transfers
- NetFlow or equivalent network metadata for recurring destination, timing, volume, and protocol patterns
- Endpoint telemetry from Linux, macOS, and Windows hosts that can associate outbound transfers with processes, users, and persistence or scheduling mechanisms where present
- DNS and destination reputation/context logs to support recurring external destination analysis
- Data loss prevention or egress monitoring events where deployed
Detection direction
- Validate DET0399-style analytics for recurrent exfiltration patterns rather than relying only on single-event volume thresholds.
- Tune for periodicity, time-of-day regularity, destination reuse, unusual protocol use, and host/user baseline deviations.
- Correlate scheduled-looking outbound transfers with endpoint process and user context to reduce false positives from legitimate backups, replication, software updates, reporting jobs, and managed file transfers.
- Review blind spots where encrypted traffic, unmanaged endpoints, cloud egress paths, or sparse NetFlow retention prevent interval analysis.
- Test detection logic across Linux, macOS, and Windows because the technique is platform-wide in ATT&CK.
Mitigation priorities
- Start with network boundary visibility and enforcement, consistent with ATT&CK mitigation M1031: use intrusion detection/prevention signatures to block traffic at network boundaries where appropriate.
- Define approved egress paths and expected transfer schedules for business processes so the SOC can distinguish sanctioned recurring transfers from suspicious recurrence.
- Prioritize logging retention long enough to detect intervals and repeated timing patterns, not only immediate anomalies.
- Review exceptions for automated transfers, service accounts, and high-volume destinations; document legitimate schedules as audit evidence.
- Use incident-response playbooks that preserve network and endpoint evidence needed to determine what data may have been transferred and over what time window.
Analyst notes and limits
The relationship set shows use by multiple software entries and one group, including Windows-focused malware and cross-platform tools, which reinforces the need to treat scheduled exfiltration as a pattern defenders validate across environments rather than as a single tool behavior. The supplied mitigation relationship is limited to network intrusion prevention, so additional control recommendations are framed as validation and operational priorities rather than ATT&CK-confirmed mitigations.
MITRE provides no official detection text for T1029 in the supplied object. The description does not specify exact commands, protocols, scheduling mechanisms, cloud services, or data types. Local baselines, approved transfer schedules, network architecture, and endpoint logging determine whether this behavior is detectable in a given environment.
Scheduled Transfer
Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel or Exfiltration Over Alternative Protocol.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G0126: Higaisa
Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.[1][2][3]
S0283: jRAT
S0696: Flagpro
S1019: Shark
S0395: LightNeuron
LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.[1]
S0223: POWERSTATS
POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. [1]
S0200: Dipsind
S0126: ComRAT
S0045: ADVSTORESHELL
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [1] [2]
S0211: Linfo
S1100: Ninja
Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.[1]
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0444: ShimRat
ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | cbb2167c2f12… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1029Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.