Payload Channel Activity Outside Scheduled Time Windows
Monitors for payload communication link activity at times that do not align with predefined operational schedules, signaling potential exploitation or unauthorized usage.
STIX Pattern
[network-traffic:src_ref.value = 'payload_channel' AND network-traffic:timestamp != 'scheduled_window']