T1029 Elastic Security · Elastic

Detect Scheduled Transfer in Elastic Security

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This is commonly observed in malware configured to beacon or exfiltrate at fixed intervals (e.g., every 10 minutes, every 8 hours) or only during business hours to blend with normal traffic. Scheduled transfer almost always combines with another exfiltration technique such as Exfiltration Over C2 Channel (T1041) or Exfiltration Over Alternative Protocol (T1048). Real-world examples include ComRAT sleeping outside 9-to-5 Monday–Friday, LightNeuron configuring nighttime-only exfiltration windows, ADVSTORESHELL compressing and exfiltrating every 10 minutes, and Cobalt Strike Beacon using randomized sleep intervals to resist frequency-based detection.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1029 Scheduled Transfer
Canonical reference
https://attack.mitre.org/techniques/T1029/

Elastic Detection Query

Elastic Security (Elastic)
eql 
// Part 1: Scheduled task spawning exfiltration tools
process where event.type == "start" and
  process.parent.name in~ ("taskeng.exe", "taskhostw.exe", "schtasks.exe") and
  (
    process.name in~ ("curl.exe", "certutil.exe", "bitsadmin.exe", "ftp.exe",
                       "tftp.exe", "rclone.exe", "nc.exe", "ncat.exe", "robocopy.exe") or
    (
      process.name in~ ("powershell.exe", "pwsh.exe") and
      process.args : ("*Invoke-WebRequest*", "*WebClient*", "*UploadFile*",
                      "*UploadData*", "*FtpWebRequest*", "*HttpClient*", "*SendAsync*")
    ) or
    (
      process.name == "cmd.exe" and
      process.args : ("*curl*", "*certutil*", "*bitsadmin*", "* ftp *")
    )
  )

// Part 2: Beaconing pattern — 5+ repeated connections to same external IP (Elastic 7.14+)
// Run as a separate EQL query
sequence by process.entity_id, destination.ip with maxspan=4h
  [
    network where
      not process.name in~ ("chrome.exe", "firefox.exe", "msedge.exe",
                            "MicrosoftEdge.exe", "iexplore.exe", "teams.exe",
                            "outlook.exe", "slack.exe", "zoom.exe", "OneDrive.exe",
                            "svchost.exe", "MsMpEng.exe", "SecurityHealthService.exe",
                            "SearchIndexer.exe", "WerFault.exe", "spoolsv.exe",
                            "lsass.exe", "services.exe", "smss.exe") and
      not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12",
                    "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16")
  ] with runs=5
high severity medium confidence

Two EQL queries for T1029 Scheduled Transfer. Part 1 detects task scheduler processes (taskeng.exe, taskhostw.exe, schtasks.exe) spawning known exfiltration tools or PowerShell/cmd with data transfer commands. Part 2 uses the EQL 'with runs=5' syntax to identify beaconing — the same process making 5+ connections to the same external IP within a 4-hour window, excluding known-good browser and OS processes. Run each query independently in Kibana or Elastic Security.

Data Sources

Elastic Endpoint Security agent (process and network events)Winlogbeat with Sysmon module (Event IDs 1 and 3)Elastic Agent with Windows integration

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.network-*winlogbeat-*

False Positives & Tuning

  • Legitimate backup agents (Veeam, Acronis, Cohesity) scheduled via Task Scheduler making regular connections to cloud backup endpoints — their process names are typically not in the browser/OS exclusion list
  • Monitoring and observability collectors (Datadog Agent, New Relic Infrastructure, Dynatrace OneAgent) beaconing to SaaS management endpoints at fixed 1–5 minute intervals from non-standard process names
  • Software update utilities or license managers invoked by Task Scheduler using curl.exe or PowerShell WebClient to poll update servers at regular intervals
Download portable Sigma rule (.yml)

Other platforms for T1029

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows — Scheduled Task Periodic HTTP Transfer (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create for schtasks.exe with CommandLine containing '/create /sc MINUTE /mo 5'. Windows Security Event ID 4698 (A scheduled task was created) in the Security event log. When the task fires: Sysmon Event ID 1 for taskhostw.exe spawning powershell.exe with '-WindowStyle Hidden'. Sysmon Event ID 3 for the network connection attempt to 127.0.0.1:8080.

  2. Test 2Windows — Simulated Beacon Loop with Fixed Sleep Interval

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the loop command. Sysmon Event ID 3: Three network connection events to 127.0.0.1:9999 spaced approximately 120 seconds apart, all with the same InitiatingProcessId. The beaconing detection aggregates these into ConnectionCount=3 with AvgIntervalMinutes ≈ 2.0.

  3. Test 3Linux — Cron-Based Periodic Exfiltration Simulation

    Expected signal: Auditd event (if configured with -w /var/spool/cron/crontabs -p wa): SYSCALL write to the crontab file. Cron daemon syslog entry (/var/log/syslog or /var/log/cron): 'CRON[<pid>]: (<user>) CMD (curl -s -X POST...)' every 5 minutes. Syslog or auditd execve events for curl spawned by cron daemon (PPID = crond). Network connection from curl to 127.0.0.1:8080.

  4. Test 4Windows — BITS Job Scheduled Data Exfiltration Simulation

    Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /create, /addfile, /resume subcommands. Sysmon Event ID 3: Network connection from svchost.exe (BITS service) to 127.0.0.1:8080 when the job attempts execution. Windows Application Event Log: Microsoft-Windows-Bits-Client/Operational — Event ID 3 (job created), 59 (job started), 61 (job error on failed connection). Security Event ID 4688 for bitsadmin.exe if command line auditing is enabled.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1029 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1020Automated ExfiltrationT1020.001Traffic DuplicationT1053.005Scheduled TaskT1053.003CronT1560Archive Collected DataT1132Data EncodingT1071Application Layer Protocol

Same Tactic: Exfiltration

Popular Detections