Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Scheduled Transfer

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel or Exfiltration Over Alternative Protocol.

ID: T1029
Tactic(s): Exfiltration
Platforms: Linux, macOS, Windows
Data Sources: Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow
Version: 1.1
Created: 31 May 2017
Last Modified: 28 Mar 2020

Procedure Examples

Name Description
Cobalt Strike

Cobalt Strike can set its "beacon" payload to reach out to the C2 server on an arbitrary and random interval. In addition it will break large data sets into smaller chunks for exfiltration.(Citation: cobaltstrike manual)

jRAT

jRAT can be configured to reconnect at certain intervals.(Citation: Kaspersky Adwind Feb 2016)

Flagpro

Flagpro has the ability to wait for a specified time interval between communicating with and executing commands from C2.(Citation: NTT Security Flagpro new December 2021)

Shark

Shark can pause C2 communications for a specified time.(Citation: ClearSky Siamesekitten August 2021)

LightNeuron

LightNeuron can be configured to exfiltrate data during nighttime or working hours.(Citation: ESET LightNeuron May 2019)

POWERSTATS

POWERSTATS can sleep for a given number of seconds.(Citation: FireEye MuddyWater Mar 2018)

Dipsind

Dipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic.(Citation: Microsoft PLATINUM April 2016)

ComRAT

ComRAT has been programmed to sleep outside local business hours (9 to 5, Monday to Friday).(Citation: ESET ComRAT May 2020)

ADVSTORESHELL

ADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.(Citation: ESET Sednit Part 2)

Linfo

Linfo creates a backdoor through which remote attackers can change the frequency at which compromised hosts contact remote C2 infrastructure.(Citation: Symantec Linfo May 2012)

Ninja

Ninja can configure its agent to work only in specific time frames.(Citation: Kaspersky ToddyCat June 2022)

Cobalt Strike

Cobalt Strike can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval.(Citation: cobaltstrike manual)

ShimRat

ShimRat can sleep when instructed to do so by the C2.(Citation: FOX-IT May 2016 Mofang)

Machete

Machete sends stolen data to the C2 server every 10 minutes.(Citation: ESET Machete July 2019)

Higaisa

Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes.(Citation: PTSecurity Higaisa 2020)

ShadowPad

ShadowPad has sent data back to C2 every 8 hours.(Citation: Securelist ShadowPad Aug 2017)

TinyTurla

TinyTurla contacts its C2 based on a scheduled timing set in its configuration.(Citation: Talos TinyTurla September 2021)

Chrommme

Chrommme can set itself to sleep before requesting a new command from C2.(Citation: ESET Gelsemium June 2021)

Kazuar

Kazuar can sleep for a specific time and be set to communicate at specific intervals.(Citation: Unit 42 Kazuar May 2017)

Mitigations

Mitigation Description
Scheduled Transfer Mitigation

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Detection

Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious. Network connections to the same destination that occur at the same time of day for multiple days are suspicious.

References

  1. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  2. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  3. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  4. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  5. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  6. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  7. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  8. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  9. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  10. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  11. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  12. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  13. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  14. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  15. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  16. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.
  17. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  18. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  19. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  20. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.