1. Home
  2. Techniques
  3. Enterprise
  4. 预定传输

预定传输

ID Name
T1029.001 多节点离散化低频传输
T1029.002 合法协议嵌入传输

预定传输是指攻击者通过预设时间策略实施数据外泄的技术,其核心特征是将传输行为与目标系统的合法业务周期相耦合,降低异常流量被检测的概率。传统检测方法主要依赖传输行为的时间规律性识别(如固定周期心跳)、数据包完整性分析(如大文件传输特征)以及协议合规性验证(如异常字段内容)。防御措施包括监控进程的周期性网络活动、分析传输时间模式异常以及检测非常规协议使用等。

为突破传统检测机制,攻击者发展出时序混淆、协议寄生、数据解构等新型匿迹传输技术,通过深度融入目标网络行为特征,构建具有高隐蔽性和抗分析性的数据外泄通道,形成"数据即业务"的隐蔽传输范式。

当前预定传输匿迹技术的共性在于对数据传输时空特征的重构与业务上下文的深度适配。多节点离散化低频传输创建动态化网状传输拓扑,通过多跳节点协同转发与流量整形,破坏数据流的空间连续性特征;合法协议嵌入传输利用协议规范的扩展性,将外泄数据编码为业务交互的必要参数,实现恶意流量与合法流量的协议层融合。两种技术的核心策略均围绕"去特征化"展开:在时间维度打破周期规律性,在协议维度实现深度寄生,在数据维度完成特征解构,最终使外泄行为在流量形态、交互逻辑、时间分布等层面与正常业务无法区分,传统基于单维度阈值告警或模式匹配的检测体系面临根本性挑战。

匿迹技术的演进迫使防御体系向多维行为建模方向转型,需构建涵盖协议语义分析、时序异常检测、跨路径关联推理的复合检测框架,同时强化对加密流量元数据的深度解析能力,并引入基于数据血缘追踪的动态取证技术,方能有效应对新型隐蔽传输威胁。

ID: T1029
Sub-techniques:  T1029.001, T1029.002
Tactic: 数据渗出
Platforms: Linux, Windows, macOS
Version: 1.1
Created: 31 May 2017
Last Modified: 28 March 2020

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过协议字段寄生和数据形态适配,将外泄数据嵌入合法协议交互流程。例如利用HTTP扩展头部的合规字段传输加密信息,或模仿视频流的时间戳波动模式编码数据,使传输流量在协议合规性层面与正常业务完全一致,规避基于协议异常检测的防御机制。

时空释痕

通过分布式节点协同和动态调度算法,将完整数据流分解为时间离散、空间分散的微传输事件。每个传输行为在时间维度呈现非周期性,在空间维度跨越多个自治系统,利用长周期、广域度的网络背景噪声稀释传输特征浓度,使得传统基于短时间窗口的流量聚合分析难以有效关联离散事件。

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL

ADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.[1]
S0667 Chrommme

Chrommme can set itself to sleep before requesting a new command from C2.[2]
S0154 Cobalt Strike

Cobalt Strike can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval.[3]
S0126 ComRAT

ComRAT has been programmed to sleep outside local business hours (9 to 5, Monday to Friday).[4]
S0200 Dipsind

Dipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic.[5]
S0696 Flagpro

Flagpro has the ability to wait for a specified time interval between communicating with and executing commands from C2.[6]
G0126 Higaisa

Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes.[7]
S0283 jRAT

jRAT can be configured to reconnect at certain intervals.[8]
S0265 Kazuar

Kazuar can sleep for a specific time and be set to communicate at specific intervals.[9]
S0395 LightNeuron

LightNeuron can be configured to exfiltrate data during nighttime or working hours.[10]
S0211 Linfo

Linfo creates a backdoor through which remote attackers can change the frequency at which compromised hosts contact remote C2 infrastructure.[11]
S0409 Machete

Machete sends stolen data to the C2 server every 10 minutes.[12]

S1100 Ninja

Ninja can configure its agent to work only in specific time frames.[13]
S0223 POWERSTATS

POWERSTATS can sleep for a given number of seconds.[14]
S0596 ShadowPad

ShadowPad has sent data back to C2 every 8 hours.[15]
S1019 Shark

Shark can pause C2 communications for a specified time.[16]
S0444 ShimRat

ShimRat can sleep when instructed to do so by the C2.[17]

S0668 TinyTurla

TinyTurla contacts its C2 based on a scheduled timing set in its configuration.[18]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. [19]

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Network Traffic Flow

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

References

  1. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  2. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  3. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  4. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  5. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  6. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  7. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  8. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  9. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  10. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  1. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  2. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  3. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  4. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  5. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.
  6. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  7. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  8. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  9. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.