T1029

Scheduled Transfer

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This is commonly observed in malware configured to beacon or exfiltrate at fixed intervals (e.g., every 10 minutes, every 8 hours) or only during business hours to blend with normal traffic. Scheduled transfer almost always combines with another exfiltration technique such as Exfiltration Over C2 Channel (T1041) or Exfiltration Over Alternative Protocol (T1048). Real-world examples include ComRAT sleeping outside 9-to-5 Monday–Friday, LightNeuron configuring nighttime-only exfiltration windows, ADVSTORESHELL compressing and exfiltrating every 10 minutes, and Cobalt Strike Beacon using randomized sleep intervals to resist frequency-based detection.

Microsoft Sentinel / Defender

kusto

// T1029 Scheduled Transfer — Beaconing pattern detection and scheduled-task-triggered exfiltration
// Part 1: Regular-interval connections from non-browser, non-system processes to public IPs
let ExcludedProcesses = dynamic([
    "chrome.exe", "firefox.exe", "msedge.exe", "MicrosoftEdge.exe", "iexplore.exe",
    "teams.exe", "outlook.exe", "slack.exe", "zoom.exe", "OneDrive.exe",
    "svchost.exe", "MsMpEng.exe", "SecurityHealthService.exe", "SenseIR.exe",
    "SearchIndexer.exe", "WerFault.exe", "wuauclt.exe", "msiexec.exe",
    "spoolsv.exe", "lsass.exe", "services.exe", "smss.exe"
]);
let ExfiltrationTools = dynamic([
    "curl.exe", "certutil.exe", "bitsadmin.exe", "ftp.exe", "tftp.exe",
    "rclone.exe", "wget.exe", "nc.exe", "ncat.exe", "robocopy.exe"
]);
// Beaconing pattern: >= 5 connections to same external IP with regular interval
let BeaconingAlerts = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ (ExcludedProcesses)
| summarize
    ConnectionCount = count(),
    EarliestConnection = min(Timestamp),
    LatestConnection = max(Timestamp),
    BytesSent = sum(SentBytes),
    BytesReceived = sum(ReceivedBytes),
    Ports = make_set(RemotePort, 10)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
     InitiatingProcessAccountName, RemoteIP
| where ConnectionCount >= 5
| extend TimeSpanMinutes = datetime_diff('minute', LatestConnection, EarliestConnection)
| where TimeSpanMinutes >= 20
| extend AvgIntervalMinutes = toreal(TimeSpanMinutes) / toreal(ConnectionCount - 1)
| where AvgIntervalMinutes between (1.0 .. 120.0)
| extend DetectionType = "Beaconing"
| extend IsHighConfidenceBeacon = (ConnectionCount >= 8 and AvgIntervalMinutes between (5.0 .. 30.0))
| project Timestamp = LatestConnection, DeviceName,
          AccountName = InitiatingProcessAccountName,
          ProcessName = InitiatingProcessFileName,
          CommandLine = InitiatingProcessCommandLine,
          RemoteIP, Ports, ConnectionCount,
          AvgIntervalMinutes, BytesSent, BytesReceived,
          DetectionType, IsHighConfidenceBeacon;
// Scheduled task spawning data transfer tools
let ScheduledTaskExfil = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("taskeng.exe", "taskhostw.exe", "schtasks.exe")
      or (InitiatingProcessFileName =~ "svchost.exe"
          and InitiatingProcessCommandLine has_any ("-k netsvcs", "Schedule"))
| where FileName in~ (ExfiltrationTools)
      or (FileName in~ ("powershell.exe", "pwsh.exe")
          and ProcessCommandLine has_any (
            "Invoke-WebRequest", "WebClient", "UploadFile", "UploadData",
            "FtpWebRequest", "curl", "wget", "SendAsync", "HttpClient"
          ))
      or (FileName =~ "cmd.exe"
          and ProcessCommandLine has_any ("curl", "ftp", "certutil", "bitsadmin"))
| extend DetectionType = "ScheduledTaskExfil"
| extend IsHighConfidenceBeacon = false
| project Timestamp, DeviceName, AccountName,
          ProcessName = FileName, CommandLine = ProcessCommandLine,
          RemoteIP = "", Ports = dynamic([]), ConnectionCount = 1,
          AvgIntervalMinutes = toreal(0), BytesSent = long(0), BytesReceived = long(0),
          DetectionType, IsHighConfidenceBeacon;
union BeaconingAlerts, ScheduledTaskExfil
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Scheduled Job: Scheduled Job Creation Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Monitoring agents (Datadog, SolarWinds, New Relic, PRTG) that make periodic health checks or metric uploads to cloud endpoints at fixed intervals
Backup software (Veeam, Acronis, Backup Exec) with scheduled upload tasks that invoke transfer utilities from svchost or task context
Software update services (WSUS clients, antivirus definition updates, patching tools) that poll external servers at regular intervals
Legitimate IT automation scripts (Ansible, Chef, Puppet) invoked by the Task Scheduler for periodic configuration synchronisation
Cloud sync clients (Dropbox, Box, Google Drive daemon processes) making regular upload connections that are not yet excluded by the process allowlist

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  NOT (Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe"
       OR Image="*\\MicrosoftEdge.exe" OR Image="*\\iexplore.exe" OR Image="*\\teams.exe"
       OR Image="*\\outlook.exe" OR Image="*\\slack.exe" OR Image="*\\zoom.exe"
       OR Image="*\\OneDrive.exe" OR Image="*\\svchost.exe" OR Image="*\\MsMpEng.exe"
       OR Image="*\\SearchIndexer.exe" OR Image="*\\WerFault.exe" OR Image="*\\spoolsv.exe")
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
       OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
       OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*"
       OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
       OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*"
       OR DestinationIp="172.30.*" OR DestinationIp="172.31.*"
       OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="169.254.*")
  | stats count as ConnectionCount, min(_time) as EarliestConn, max(_time) as LatestConn,
          values(DestinationIp) as RemoteIPs, values(DestinationPort) as RemotePorts
    by host, Image, CommandLine, User, DestinationIp
  | where ConnectionCount >= 5
  | eval TimeSpanMinutes=round((LatestConn - EarliestConn) / 60, 2)
  | where TimeSpanMinutes >= 20
  | eval AvgIntervalMinutes=round(TimeSpanMinutes / (ConnectionCount - 1), 2)
  | where AvgIntervalMinutes >= 1 AND AvgIntervalMinutes <= 120
  | eval IsHighConfidenceBeacon=if(ConnectionCount >= 8 AND AvgIntervalMinutes >= 5 AND AvgIntervalMinutes <= 30, "true", "false")
  | eval DetectionType="Beaconing"
  | eval EarliestConn=strftime(EarliestConn, "%Y-%m-%d %H:%M:%S")
  | eval LatestConn=strftime(LatestConn, "%Y-%m-%d %H:%M:%S")
  | table host, User, Image, CommandLine, DestinationIp, RemotePorts,
           ConnectionCount, AvgIntervalMinutes, TimeSpanMinutes,
           EarliestConn, LatestConn, IsHighConfidenceBeacon, DetectionType
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (ParentImage="*\\taskeng.exe" OR ParentImage="*\\taskhostw.exe" OR ParentImage="*\\schtasks.exe"
   OR (ParentImage="*\\svchost.exe" AND ParentCommandLine="*Schedule*"))
  (Image="*\\curl.exe" OR Image="*\\certutil.exe" OR Image="*\\bitsadmin.exe"
   OR Image="*\\ftp.exe" OR Image="*\\tftp.exe" OR Image="*\\rclone.exe"
   OR Image="*\\nc.exe" OR Image="*\\ncat.exe" OR Image="*\\robocopy.exe"
   OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
       AND (CommandLine="*Invoke-WebRequest*" OR CommandLine="*WebClient*"
            OR CommandLine="*UploadFile*" OR CommandLine="*UploadData*"
            OR CommandLine="*FtpWebRequest*" OR CommandLine="*HttpClient*"))
   OR (Image="*\\cmd.exe"
       AND (CommandLine="*curl*" OR CommandLine="*certutil*"
            OR CommandLine="*bitsadmin*" OR CommandLine=" *ftp *")))
  | eval DetectionType="ScheduledTaskExfil"
  | eval IsHighConfidenceBeacon="false"
  | eval AvgIntervalMinutes=0, ConnectionCount=1
  | table host, User, Image, CommandLine, ParentImage, ParentCommandLine,
           ConnectionCount, AvgIntervalMinutes, IsHighConfidenceBeacon, DetectionType
]
| sort - ConnectionCount

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Sysmon Event ID 3 Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Monitoring agents (Datadog, SolarWinds, New Relic, PRTG) making periodic health check calls to external SaaS endpoints at fixed intervals
Backup and sync software with scheduled upload tasks that spawn curl or robocopy from Task Scheduler context
Software update mechanisms (antivirus DAT updates, WSUS client polls) making periodic external connections
Legitimate automation scripts scheduled via Task Scheduler that use PowerShell WebClient or curl for approved data uploads
Cloud sync clients running as scheduled tasks that make regular connections to provider endpoints

Elastic Security (EQL)

eql

// Part 1: Scheduled task spawning exfiltration tools
process where event.type == "start" and
  process.parent.name in~ ("taskeng.exe", "taskhostw.exe", "schtasks.exe") and
  (
    process.name in~ ("curl.exe", "certutil.exe", "bitsadmin.exe", "ftp.exe",
                       "tftp.exe", "rclone.exe", "nc.exe", "ncat.exe", "robocopy.exe") or
    (
      process.name in~ ("powershell.exe", "pwsh.exe") and
      process.args : ("*Invoke-WebRequest*", "*WebClient*", "*UploadFile*",
                      "*UploadData*", "*FtpWebRequest*", "*HttpClient*", "*SendAsync*")
    ) or
    (
      process.name == "cmd.exe" and
      process.args : ("*curl*", "*certutil*", "*bitsadmin*", "* ftp *")
    )
  )

// Part 2: Beaconing pattern — 5+ repeated connections to same external IP (Elastic 7.14+)
// Run as a separate EQL query
sequence by process.entity_id, destination.ip with maxspan=4h
  [
    network where
      not process.name in~ ("chrome.exe", "firefox.exe", "msedge.exe",
                            "MicrosoftEdge.exe", "iexplore.exe", "teams.exe",
                            "outlook.exe", "slack.exe", "zoom.exe", "OneDrive.exe",
                            "svchost.exe", "MsMpEng.exe", "SecurityHealthService.exe",
                            "SearchIndexer.exe", "WerFault.exe", "spoolsv.exe",
                            "lsass.exe", "services.exe", "smss.exe") and
      not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12",
                    "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16")
  ] with runs=5

high severity medium confidence

Data Sources

Elastic Endpoint Security agent (process and network events) Winlogbeat with Sysmon module (Event IDs 1 and 3) Elastic Agent with Windows integration

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* winlogbeat-*

False Positives

Legitimate backup agents (Veeam, Acronis, Cohesity) scheduled via Task Scheduler making regular connections to cloud backup endpoints — their process names are typically not in the browser/OS exclusion list
Monitoring and observability collectors (Datadog Agent, New Relic Infrastructure, Dynatrace OneAgent) beaconing to SaaS management endpoints at fixed 1–5 minute intervals from non-standard process names
Software update utilities or license managers invoked by Task Scheduler using curl.exe or PowerShell WebClient to poll update servers at regular intervals

IBM QRadar (AQL)

sql

-- Part 1: Beaconing — regular-interval Sysmon network connections to external IPs
SELECT
  sourceip AS HostIP,
  username AS AccountName,
  "Process Name" AS ProcessName,
  "Command Line" AS CommandLine,
  destinationip AS RemoteIP,
  destinationport AS RemotePort,
  COUNT(*) AS ConnectionCount,
  DATEFORMAT(MIN(starttime)*1000, 'YYYY-MM-dd HH:mm:ss') AS EarliestConn,
  DATEFORMAT(MAX(starttime)*1000, 'YYYY-MM-dd HH:mm:ss') AS LatestConn,
  ROUND((MAX(LONG(starttime)) - MIN(LONG(starttime))) / 60.0, 2) AS TimeSpanMinutes,
  ROUND(((MAX(LONG(starttime)) - MIN(LONG(starttime))) / 60.0) / (COUNT(*) - 1), 2) AS AvgIntervalMinutes
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND eventid = 3
  AND NOT "Process Name" ILIKE ANY ('%\\chrome.exe', '%\\firefox.exe', '%\\msedge.exe',
    '%\\MicrosoftEdge.exe', '%\\iexplore.exe', '%\\teams.exe', '%\\outlook.exe',
    '%\\slack.exe', '%\\zoom.exe', '%\\OneDrive.exe', '%\\svchost.exe',
    '%\\MsMpEng.exe', '%\\SearchIndexer.exe', '%\\WerFault.exe', '%\\spoolsv.exe')
  AND NOT destinationip INCIDR '10.0.0.0/8'
  AND NOT destinationip INCIDR '172.16.0.0/12'
  AND NOT destinationip INCIDR '192.168.0.0/16'
  AND NOT destinationip INCIDR '127.0.0.0/8'
  AND NOT destinationip INCIDR '169.254.0.0/16'
GROUP BY sourceip, username, "Process Name", "Command Line", destinationip, destinationport
HAVING COUNT(*) >= 5
  AND (MAX(LONG(starttime)) - MIN(LONG(starttime))) / 60.0 >= 20
  AND ((MAX(LONG(starttime)) - MIN(LONG(starttime))) / 60.0) / (COUNT(*) - 1) BETWEEN 1.0 AND 120.0
LAST 1 DAYS

UNION ALL

-- Part 2: Scheduled task process spawning exfiltration tools (Sysmon Event ID 1)
SELECT
  sourceip AS HostIP,
  username AS AccountName,
  "Process Name" AS ProcessName,
  "Command Line" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  "Parent Command Line" AS ParentCommandLine,
  1 AS ConnectionCount,
  DATEFORMAT(starttime*1000, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  0.0 AS AvgIntervalMinutes
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND eventid = 1
  AND (
    "Parent Process Name" ILIKE '%\\taskeng.exe'
    OR "Parent Process Name" ILIKE '%\\taskhostw.exe'
    OR "Parent Process Name" ILIKE '%\\schtasks.exe'
    OR ("Parent Process Name" ILIKE '%\\svchost.exe'
        AND "Parent Command Line" ILIKE '%Schedule%')
  )
  AND (
    "Process Name" ILIKE ANY ('%\\curl.exe', '%\\certutil.exe', '%\\bitsadmin.exe',
      '%\\ftp.exe', '%\\tftp.exe', '%\\rclone.exe', '%\\nc.exe',
      '%\\ncat.exe', '%\\robocopy.exe')
    OR (
      ("Process Name" ILIKE '%\\powershell.exe' OR "Process Name" ILIKE '%\\pwsh.exe')
      AND ("Command Line" ILIKE '%Invoke-WebRequest%' OR "Command Line" ILIKE '%WebClient%'
           OR "Command Line" ILIKE '%UploadFile%' OR "Command Line" ILIKE '%UploadData%'
           OR "Command Line" ILIKE '%FtpWebRequest%' OR "Command Line" ILIKE '%HttpClient%')
    )
    OR (
      "Process Name" ILIKE '%\\cmd.exe'
      AND ("Command Line" ILIKE '%curl%' OR "Command Line" ILIKE '%certutil%'
           OR "Command Line" ILIKE '%bitsadmin%' OR "Command Line" ILIKE '% ftp %')
    )
  )
LAST 1 DAYS
ORDER BY ConnectionCount DESC

high severity medium confidence

Data Sources

IBM QRadar with Microsoft Sysmon DSM configured QRadar with custom properties: Process Name, Command Line, Parent Process Name, Parent Command Line Windows endpoint Sysmon forwarding to QRadar via WinCollect or syslog

Required Tables

events

False Positives

Enterprise backup agents (CommVault simpana, NetBackup nbwin.exe) generating high-frequency connections to media servers via Task Scheduler — add their specific process names to the exclusion ILIKE list
IT configuration management clients (Puppet Agent, Chef Client, Ansible pull via scheduled task) checking for updates every 30 minutes using PowerShell or curl — high AvgIntervalMinutes values will appear
SCOM management agent or Zabbix active agent performing scheduled data collection jobs via schtasks, generating regular beaconing to management servers on fixed polling intervals

Sumo Logic CSE

sql

// Part 1: Beaconing pattern detection (Sysmon Event ID 3)
(_sourceCategory=windows/sysmon OR _sourceCategory=*sysmon* OR _sourceCategory=endpoint*)
| where EventCode = "3"
| where !matches(Image, /(?i)(chrome|firefox|msedge|MicrosoftEdge|iexplore|teams|outlook|slack|zoom|OneDrive|svchost|MsMpEng|SecurityHealthService|SearchIndexer|WerFault|spoolsv|lsass|services|smss)\.exe$/)
| where !matches(DestinationIp, /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.)/)
| count as ConnectionCount, min(_messageTime) as EarliestMs, max(_messageTime) as LatestMs by _sourceHost, Image, CommandLine, User, DestinationIp, DestinationPort
| where ConnectionCount >= 5
| (LatestMs - EarliestMs) / 60000 as TimeSpanMinutes
| where TimeSpanMinutes >= 20
| TimeSpanMinutes / (ConnectionCount - 1) as AvgIntervalMinutes
| where AvgIntervalMinutes >= 1 and AvgIntervalMinutes <= 120
| if(ConnectionCount >= 8 and AvgIntervalMinutes >= 5 and AvgIntervalMinutes <= 30, "true", "false") as IsHighConfidenceBeacon
| "Beaconing" as DetectionType
| fields _sourceHost, User, Image, CommandLine, DestinationIp, DestinationPort, ConnectionCount, AvgIntervalMinutes, TimeSpanMinutes, IsHighConfidenceBeacon, DetectionType
| sort by ConnectionCount desc

// Part 2: Scheduled task spawning data transfer tools (Sysmon Event ID 1) — run as separate search
(_sourceCategory=windows/sysmon OR _sourceCategory=*sysmon* OR _sourceCategory=endpoint*)
| where EventCode = "1"
| where matches(ParentImage, /(?i)(taskeng|taskhostw|schtasks)\.exe$/) or
        (matches(ParentImage, /(?i)svchost\.exe$/) and matches(ParentCommandLine, /Schedule/))
| where matches(Image, /(?i)(curl|certutil|bitsadmin|ftp|tftp|rclone|nc|ncat|robocopy)\.exe$/) or
        (matches(Image, /(?i)(powershell|pwsh)\.exe$/) and
         matches(CommandLine, /(?i)(Invoke-WebRequest|WebClient|UploadFile|UploadData|FtpWebRequest|HttpClient|SendAsync)/)) or
        (matches(Image, /(?i)cmd\.exe$/) and
         matches(CommandLine, /(?i)(curl|certutil|bitsadmin| ftp )/))
| "ScheduledTaskExfil" as DetectionType
| "false" as IsHighConfidenceBeacon
| 0 as AvgIntervalMinutes
| 1 as ConnectionCount
| fields _sourceHost, User, Image, CommandLine, ParentImage, ParentCommandLine, ConnectionCount, AvgIntervalMinutes, IsHighConfidenceBeacon, DetectionType

high severity medium confidence

Data Sources

Sumo Logic with Windows Sysmon collector (Sysmon Operational event log) Sumo Logic Cloud SIEM (CSE) with Windows endpoint source Sumo Logic Installed Collector on Windows hosts with Sysmon configured

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=*sysmon*

False Positives

Endpoint security platforms (CrowdStrike Falcon sensor, Carbon Black, Cylance) making periodic telemetry connections to cloud management infrastructure — their process names usually differ from standard browser/OS exclusions and will appear in beaconing results
Power BI or Tableau Desktop scheduled data refresh tasks fetching data from external APIs via PowerShell WebClient or custom scripts at configured refresh intervals
Automated testing harnesses or CI agents (Jenkins agent, GitLab Runner) executed by Task Scheduler using curl.exe to poll build servers — high ConnectionCount with consistent AvgIntervalMinutes

Google Chronicle / SecOps

yaral

rule T1029_scheduled_transfer_beaconing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects beaconing: 5+ network connections from same process to same external IP over 4h window, excluding browser and OS processes — indicative of scheduled data exfiltration (T1029)"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1029"
    reference = "https://attack.mitre.org/techniques/T1029/"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-01-01"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.principal.hostname = $hostname
    $net.principal.process.file.full_path = $proc_path
    $net.target.ip = $dst_ip
    not re.regex($net.principal.process.file.full_path,
      `(?i)(chrome|firefox|msedge|MicrosoftEdge|iexplore|teams|outlook|slack|zoom|OneDrive|svchost|MsMpEng|SecurityHealthService|SearchIndexer|WerFault|spoolsv|lsass|services|smss)\.exe$`)
    not net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")
    not net.ip_in_range_cidr($net.target.ip, "169.254.0.0/16")

  match:
    $hostname, $proc_path, $dst_ip over 4h

  condition:
    #net >= 5
}

rule T1029_scheduled_transfer_task_exfil {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Windows Task Scheduler processes (taskeng.exe, taskhostw.exe) spawning known data exfiltration tools or PowerShell/cmd with data transfer commands — indicative of scheduled exfiltration (T1029)"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1029"
    reference = "https://attack.mitre.org/techniques/T1029/"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-01-01"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($proc.principal.process.file.full_path,
      `(?i)(taskeng|taskhostw|schtasks)\.exe$`)
    (
      re.regex($proc.target.process.file.full_path,
        `(?i)(curl|certutil|bitsadmin|ftp|tftp|rclone|nc|ncat|robocopy)\.exe$`)
      or
      (
        re.regex($proc.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
        and re.regex($proc.target.process.command_line,
          `(?i)(Invoke-WebRequest|New-Object.*WebClient|UploadFile|UploadData|FtpWebRequest|HttpClient|SendAsync)`)
      )
      or
      (
        re.regex($proc.target.process.file.full_path, `(?i)cmd\.exe$`)
        and re.regex($proc.target.process.command_line,
          `(?i)(curl[\s]|certutil[\s]|bitsadmin[\s]|[\s]ftp[\s])`)
      )
    )

  condition:
    $proc
}

high severity medium confidence

Data Sources

Google Chronicle with Windows endpoint telemetry via UDM ingestion Chronicle with Sysmon forwarder (ingested and normalized to UDM) Chronicle with CrowdStrike, Carbon Black, or SentinelOne UDM feed

Required Tables

NETWORK_CONNECTION UDM event type PROCESS_LAUNCH UDM event type

False Positives

SCCM/MECM client or Microsoft Intune Management Extension performing scheduled policy checks that generate regular outbound connections to Microsoft cloud endpoints from non-browser process names
Legitimate IT-created scheduled tasks running robocopy.exe for file server synchronization to cloud storage (Azure Files, SharePoint) or remote backup targets
Security compliance or vulnerability scanners invoking curl.exe or PowerShell WebClient on a schedule to check asset health endpoints or report compliance telemetry

CrowdStrike LogScale (CQL)

cql

// Part 1: Beaconing — NetworkConnectIP4 events grouped by process/destination to find regular-interval outbound connections
#event_simpleName=NetworkConnectIP4
| not cidr(RemoteAddressIP4, subnet="10.0.0.0/8")
| not cidr(RemoteAddressIP4, subnet="172.16.0.0/12")
| not cidr(RemoteAddressIP4, subnet="192.168.0.0/16")
| not cidr(RemoteAddressIP4, subnet="127.0.0.0/8")
| not cidr(RemoteAddressIP4, subnet="169.254.0.0/16")
| ImageFileName != /(?i)(chrome|firefox|msedge|MicrosoftEdge|iexplore|teams|outlook|slack|zoom|OneDrive|svchost|MsMpEng|SecurityHealthService|SearchIndexer|WerFault|spoolsv|lsass|services|smss)\.exe$/
| groupBy(
    [ComputerName, ImageFileName, CommandLine, UserName, RemoteAddressIP4],
    function=[
      count(as=ConnectionCount),
      min(@timestamp, as=EarliestConnMs),
      max(@timestamp, as=LatestConnMs),
      values(RemotePort, as=RemotePorts)
    ]
  )
| ConnectionCount >= 5
| TimeSpanMinutes := (LatestConnMs - EarliestConnMs) / 60000
| TimeSpanMinutes >= 20
| AvgIntervalMinutes := TimeSpanMinutes / (ConnectionCount - 1)
| AvgIntervalMinutes >= 1
| AvgIntervalMinutes <= 120
| IsHighConfidenceBeacon := if(ConnectionCount >= 8 AND AvgIntervalMinutes >= 5 AND AvgIntervalMinutes <= 30, "true", "false")
| "Beaconing" as DetectionType
| sort(ConnectionCount, order=desc)

// Part 2: Scheduled task process spawning exfiltration tools — run as separate LogScale query
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)(taskeng|taskhostw|schtasks)\.exe$/
  OR (ParentBaseFileName = /(?i)svchost\.exe$/ AND ParentCommandLine = /(?i)Schedule/)
| FileName = /(?i)(curl|certutil|bitsadmin|ftp|tftp|rclone|nc|ncat|robocopy)\.exe$/
  OR (
    FileName = /(?i)(powershell|pwsh)\.exe$/
    AND CommandLine = /(?i)(Invoke-WebRequest|New-Object.*WebClient|UploadFile|UploadData|FtpWebRequest|HttpClient|SendAsync)/
  )
  OR (
    FileName = /(?i)cmd\.exe$/
    AND CommandLine = /(?i)(curl[\s]|certutil[\s]|bitsadmin[\s])/
  )
| "ScheduledTaskExfil" as DetectionType
| table(
    [ComputerName, UserName, FileName, CommandLine,
     ParentBaseFileName, ParentCommandLine, DetectionType]
  )

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (Prevent or Insight tier) CrowdStrike Falcon LogScale / Humio with Falcon telemetry pipeline Falcon Data Replicator (FDR) feeding LogScale

Required Tables

NetworkConnectIP4 Falcon event stream ProcessRollup2 Falcon event stream

False Positives

CrowdStrike Falcon sensor or other EDR agents (SentinelOne, Defender ATP) performing regular telemetry uploads — their process names may not match common browser/OS exclusions and will appear as beaconing; add sensor binaries to the exclusion regex
IT automation tools executed via Task Scheduler (Ansible WinRM runner, SCCM Software Center launcher) that use PowerShell with WebClient or curl to communicate with automation controllers on regular check-in intervals
PowerShell DSC (Desired State Configuration) Local Configuration Manager running in pull mode, invoking WebClient to retrieve MOF files from a pull server at the configured RefreshFrequencyMins interval (default 30 minutes)

Last updated: 2026-04-16 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1029 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Scheduled Transfer

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Exfiltration

Popular Detections