Detect Scheduled Transfer in Google Chronicle
Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This is commonly observed in malware configured to beacon or exfiltrate at fixed intervals (e.g., every 10 minutes, every 8 hours) or only during business hours to blend with normal traffic. Scheduled transfer almost always combines with another exfiltration technique such as Exfiltration Over C2 Channel (T1041) or Exfiltration Over Alternative Protocol (T1048). Real-world examples include ComRAT sleeping outside 9-to-5 Monday–Friday, LightNeuron configuring nighttime-only exfiltration windows, ADVSTORESHELL compressing and exfiltrating every 10 minutes, and Cobalt Strike Beacon using randomized sleep intervals to resist frequency-based detection.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1029 Scheduled Transfer
- Canonical reference
- https://attack.mitre.org/techniques/T1029/
YARA-L Detection Query
rule T1029_scheduled_transfer_beaconing {
meta:
author = "Argus Detection Engineering"
description = "Detects beaconing: 5+ network connections from same process to same external IP over 4h window, excluding browser and OS processes — indicative of scheduled data exfiltration (T1029)"
mitre_attack_tactic = "Exfiltration"
mitre_attack_technique = "T1029"
reference = "https://attack.mitre.org/techniques/T1029/"
severity = "HIGH"
confidence = "MEDIUM"
created = "2026-01-01"
events:
$net.metadata.event_type = "NETWORK_CONNECTION"
$net.principal.hostname = $hostname
$net.principal.process.file.full_path = $proc_path
$net.target.ip = $dst_ip
not re.regex($net.principal.process.file.full_path,
`(?i)(chrome|firefox|msedge|MicrosoftEdge|iexplore|teams|outlook|slack|zoom|OneDrive|svchost|MsMpEng|SecurityHealthService|SearchIndexer|WerFault|spoolsv|lsass|services|smss)\.exe$`)
not net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")
not net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")
not net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")
not net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")
not net.ip_in_range_cidr($net.target.ip, "169.254.0.0/16")
match:
$hostname, $proc_path, $dst_ip over 4h
condition:
#net >= 5
}
rule T1029_scheduled_transfer_task_exfil {
meta:
author = "Argus Detection Engineering"
description = "Detects Windows Task Scheduler processes (taskeng.exe, taskhostw.exe) spawning known data exfiltration tools or PowerShell/cmd with data transfer commands — indicative of scheduled exfiltration (T1029)"
mitre_attack_tactic = "Exfiltration"
mitre_attack_technique = "T1029"
reference = "https://attack.mitre.org/techniques/T1029/"
severity = "HIGH"
confidence = "HIGH"
created = "2026-01-01"
events:
$proc.metadata.event_type = "PROCESS_LAUNCH"
re.regex($proc.principal.process.file.full_path,
`(?i)(taskeng|taskhostw|schtasks)\.exe$`)
(
re.regex($proc.target.process.file.full_path,
`(?i)(curl|certutil|bitsadmin|ftp|tftp|rclone|nc|ncat|robocopy)\.exe$`)
or
(
re.regex($proc.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
and re.regex($proc.target.process.command_line,
`(?i)(Invoke-WebRequest|New-Object.*WebClient|UploadFile|UploadData|FtpWebRequest|HttpClient|SendAsync)`)
)
or
(
re.regex($proc.target.process.file.full_path, `(?i)cmd\.exe$`)
and re.regex($proc.target.process.command_line,
`(?i)(curl[\s]|certutil[\s]|bitsadmin[\s]|[\s]ftp[\s])`)
)
)
condition:
$proc
}Two Chronicle YARA-L 2.0 rules for T1029 Scheduled Transfer. T1029_scheduled_transfer_beaconing groups NETWORK_CONNECTION UDM events by hostname/process path/destination IP over a 4-hour sliding window and fires when the same process makes 5+ connections to the same external IP, excluding known-good browser and OS process names. T1029_scheduled_transfer_task_exfil fires on any single PROCESS_LAUNCH event where a task scheduler binary is the principal process spawning a known exfiltration tool or PowerShell/cmd with data transfer command patterns. Deploy both rules independently in Chronicle Detection Engine (SIEM).
Data Sources
Required Tables
False Positives & Tuning
- SCCM/MECM client or Microsoft Intune Management Extension performing scheduled policy checks that generate regular outbound connections to Microsoft cloud endpoints from non-browser process names
- Legitimate IT-created scheduled tasks running robocopy.exe for file server synchronization to cloud storage (Azure Files, SharePoint) or remote backup targets
- Security compliance or vulnerability scanners invoking curl.exe or PowerShell WebClient on a schedule to check asset health endpoints or report compliance telemetry
Other platforms for T1029
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows — Scheduled Task Periodic HTTP Transfer (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create for schtasks.exe with CommandLine containing '/create /sc MINUTE /mo 5'. Windows Security Event ID 4698 (A scheduled task was created) in the Security event log. When the task fires: Sysmon Event ID 1 for taskhostw.exe spawning powershell.exe with '-WindowStyle Hidden'. Sysmon Event ID 3 for the network connection attempt to 127.0.0.1:8080.
- Test 2Windows — Simulated Beacon Loop with Fixed Sleep Interval
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the loop command. Sysmon Event ID 3: Three network connection events to 127.0.0.1:9999 spaced approximately 120 seconds apart, all with the same InitiatingProcessId. The beaconing detection aggregates these into ConnectionCount=3 with AvgIntervalMinutes ≈ 2.0.
- Test 3Linux — Cron-Based Periodic Exfiltration Simulation
Expected signal: Auditd event (if configured with -w /var/spool/cron/crontabs -p wa): SYSCALL write to the crontab file. Cron daemon syslog entry (/var/log/syslog or /var/log/cron): 'CRON[<pid>]: (<user>) CMD (curl -s -X POST...)' every 5 minutes. Syslog or auditd execve events for curl spawned by cron daemon (PPID = crond). Network connection from curl to 127.0.0.1:8080.
- Test 4Windows — BITS Job Scheduled Data Exfiltration Simulation
Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /create, /addfile, /resume subcommands. Sysmon Event ID 3: Network connection from svchost.exe (BITS service) to 127.0.0.1:8080 when the job attempts execution. Windows Application Event Log: Microsoft-Windows-Bits-Client/Operational — Event ID 3 (job created), 59 (job started), 61 (job error on failed connection). Security Event ID 4688 for bitsadmin.exe if command line auditing is enabled.
References (10)
- https://attack.mitre.org/techniques/T1029/
- https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
- https://www.welivesecurity.com/2020/05/26/operation-lagtime-it-backdoors-government-networks-eastern-asia/
- https://securelist.com/shadowpad-in-corporate-networks/81432/
- https://cobaltstrike.com/help-beacon
- https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1029/T1029.md
- https://www.mandiant.com/resources/blog/identifying-cobalt-strike-team-servers-in-the-wild
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1029 including response playbook, investigation guide, and atomic red team tests.