T1029 CrowdStrike LogScale · LogScale

Detect Scheduled Transfer in CrowdStrike LogScale

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This is commonly observed in malware configured to beacon or exfiltrate at fixed intervals (e.g., every 10 minutes, every 8 hours) or only during business hours to blend with normal traffic. Scheduled transfer almost always combines with another exfiltration technique such as Exfiltration Over C2 Channel (T1041) or Exfiltration Over Alternative Protocol (T1048). Real-world examples include ComRAT sleeping outside 9-to-5 Monday–Friday, LightNeuron configuring nighttime-only exfiltration windows, ADVSTORESHELL compressing and exfiltrating every 10 minutes, and Cobalt Strike Beacon using randomized sleep intervals to resist frequency-based detection.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1029 Scheduled Transfer
Canonical reference
https://attack.mitre.org/techniques/T1029/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Part 1: Beaconing — NetworkConnectIP4 events grouped by process/destination to find regular-interval outbound connections
#event_simpleName=NetworkConnectIP4
| not cidr(RemoteAddressIP4, subnet="10.0.0.0/8")
| not cidr(RemoteAddressIP4, subnet="172.16.0.0/12")
| not cidr(RemoteAddressIP4, subnet="192.168.0.0/16")
| not cidr(RemoteAddressIP4, subnet="127.0.0.0/8")
| not cidr(RemoteAddressIP4, subnet="169.254.0.0/16")
| ImageFileName != /(?i)(chrome|firefox|msedge|MicrosoftEdge|iexplore|teams|outlook|slack|zoom|OneDrive|svchost|MsMpEng|SecurityHealthService|SearchIndexer|WerFault|spoolsv|lsass|services|smss)\.exe$/
| groupBy(
    [ComputerName, ImageFileName, CommandLine, UserName, RemoteAddressIP4],
    function=[
      count(as=ConnectionCount),
      min(@timestamp, as=EarliestConnMs),
      max(@timestamp, as=LatestConnMs),
      values(RemotePort, as=RemotePorts)
    ]
  )
| ConnectionCount >= 5
| TimeSpanMinutes := (LatestConnMs - EarliestConnMs) / 60000
| TimeSpanMinutes >= 20
| AvgIntervalMinutes := TimeSpanMinutes / (ConnectionCount - 1)
| AvgIntervalMinutes >= 1
| AvgIntervalMinutes <= 120
| IsHighConfidenceBeacon := if(ConnectionCount >= 8 AND AvgIntervalMinutes >= 5 AND AvgIntervalMinutes <= 30, "true", "false")
| "Beaconing" as DetectionType
| sort(ConnectionCount, order=desc)

// Part 2: Scheduled task process spawning exfiltration tools — run as separate LogScale query
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)(taskeng|taskhostw|schtasks)\.exe$/
  OR (ParentBaseFileName = /(?i)svchost\.exe$/ AND ParentCommandLine = /(?i)Schedule/)
| FileName = /(?i)(curl|certutil|bitsadmin|ftp|tftp|rclone|nc|ncat|robocopy)\.exe$/
  OR (
    FileName = /(?i)(powershell|pwsh)\.exe$/
    AND CommandLine = /(?i)(Invoke-WebRequest|New-Object.*WebClient|UploadFile|UploadData|FtpWebRequest|HttpClient|SendAsync)/
  )
  OR (
    FileName = /(?i)cmd\.exe$/
    AND CommandLine = /(?i)(curl[\s]|certutil[\s]|bitsadmin[\s])/
  )
| "ScheduledTaskExfil" as DetectionType
| table(
    [ComputerName, UserName, FileName, CommandLine,
     ParentBaseFileName, ParentCommandLine, DetectionType]
  )
high severity medium confidence

Two CrowdStrike LogScale queries for T1029 Scheduled Transfer. Part 1 aggregates NetworkConnectIP4 Falcon events by host/process/destination IP to detect beaconing: 5+ outbound connections with TimeSpanMinutes >= 20 and AvgIntervalMinutes between 1 and 120, excluding browser and OS processes and private IP ranges. IsHighConfidenceBeacon is set when ConnectionCount >= 8 with 5–30 minute average intervals. Part 2 matches ProcessRollup2 events where task scheduler parent processes (taskeng.exe, taskhostw.exe, schtasks.exe) directly spawn known data exfiltration tools or PowerShell/cmd with transfer commands. Run each query independently; correlate on ComputerName + UserName for enriched context.

Data Sources

CrowdStrike Falcon Endpoint Protection (Prevent or Insight tier)CrowdStrike Falcon LogScale / Humio with Falcon telemetry pipelineFalcon Data Replicator (FDR) feeding LogScale

Required Tables

NetworkConnectIP4 Falcon event streamProcessRollup2 Falcon event stream

False Positives & Tuning

  • CrowdStrike Falcon sensor or other EDR agents (SentinelOne, Defender ATP) performing regular telemetry uploads — their process names may not match common browser/OS exclusions and will appear as beaconing; add sensor binaries to the exclusion regex
  • IT automation tools executed via Task Scheduler (Ansible WinRM runner, SCCM Software Center launcher) that use PowerShell with WebClient or curl to communicate with automation controllers on regular check-in intervals
  • PowerShell DSC (Desired State Configuration) Local Configuration Manager running in pull mode, invoking WebClient to retrieve MOF files from a pull server at the configured RefreshFrequencyMins interval (default 30 minutes)
Download portable Sigma rule (.yml)

Other platforms for T1029

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows — Scheduled Task Periodic HTTP Transfer (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create for schtasks.exe with CommandLine containing '/create /sc MINUTE /mo 5'. Windows Security Event ID 4698 (A scheduled task was created) in the Security event log. When the task fires: Sysmon Event ID 1 for taskhostw.exe spawning powershell.exe with '-WindowStyle Hidden'. Sysmon Event ID 3 for the network connection attempt to 127.0.0.1:8080.

  2. Test 2Windows — Simulated Beacon Loop with Fixed Sleep Interval

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the loop command. Sysmon Event ID 3: Three network connection events to 127.0.0.1:9999 spaced approximately 120 seconds apart, all with the same InitiatingProcessId. The beaconing detection aggregates these into ConnectionCount=3 with AvgIntervalMinutes ≈ 2.0.

  3. Test 3Linux — Cron-Based Periodic Exfiltration Simulation

    Expected signal: Auditd event (if configured with -w /var/spool/cron/crontabs -p wa): SYSCALL write to the crontab file. Cron daemon syslog entry (/var/log/syslog or /var/log/cron): 'CRON[<pid>]: (<user>) CMD (curl -s -X POST...)' every 5 minutes. Syslog or auditd execve events for curl spawned by cron daemon (PPID = crond). Network connection from curl to 127.0.0.1:8080.

  4. Test 4Windows — BITS Job Scheduled Data Exfiltration Simulation

    Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /create, /addfile, /resume subcommands. Sysmon Event ID 3: Network connection from svchost.exe (BITS service) to 127.0.0.1:8080 when the job attempts execution. Windows Application Event Log: Microsoft-Windows-Bits-Client/Operational — Event ID 3 (job created), 59 (job started), 61 (job error on failed connection). Security Event ID 4688 for bitsadmin.exe if command line auditing is enabled.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1029 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1020Automated ExfiltrationT1020.001Traffic DuplicationT1053.005Scheduled TaskT1053.003CronT1560Archive Collected DataT1132Data EncodingT1071Application Layer Protocol

Same Tactic: Exfiltration

Popular Detections