T1029 IBM QRadar · QRadar

Detect Scheduled Transfer in IBM QRadar

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This is commonly observed in malware configured to beacon or exfiltrate at fixed intervals (e.g., every 10 minutes, every 8 hours) or only during business hours to blend with normal traffic. Scheduled transfer almost always combines with another exfiltration technique such as Exfiltration Over C2 Channel (T1041) or Exfiltration Over Alternative Protocol (T1048). Real-world examples include ComRAT sleeping outside 9-to-5 Monday–Friday, LightNeuron configuring nighttime-only exfiltration windows, ADVSTORESHELL compressing and exfiltrating every 10 minutes, and Cobalt Strike Beacon using randomized sleep intervals to resist frequency-based detection.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1029 Scheduled Transfer
Canonical reference
https://attack.mitre.org/techniques/T1029/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
-- Part 1: Beaconing — regular-interval Sysmon network connections to external IPs
SELECT
  sourceip AS HostIP,
  username AS AccountName,
  "Process Name" AS ProcessName,
  "Command Line" AS CommandLine,
  destinationip AS RemoteIP,
  destinationport AS RemotePort,
  COUNT(*) AS ConnectionCount,
  DATEFORMAT(MIN(starttime)*1000, 'YYYY-MM-dd HH:mm:ss') AS EarliestConn,
  DATEFORMAT(MAX(starttime)*1000, 'YYYY-MM-dd HH:mm:ss') AS LatestConn,
  ROUND((MAX(LONG(starttime)) - MIN(LONG(starttime))) / 60.0, 2) AS TimeSpanMinutes,
  ROUND(((MAX(LONG(starttime)) - MIN(LONG(starttime))) / 60.0) / (COUNT(*) - 1), 2) AS AvgIntervalMinutes
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND eventid = 3
  AND NOT "Process Name" ILIKE ANY ('%\\chrome.exe', '%\\firefox.exe', '%\\msedge.exe',
    '%\\MicrosoftEdge.exe', '%\\iexplore.exe', '%\\teams.exe', '%\\outlook.exe',
    '%\\slack.exe', '%\\zoom.exe', '%\\OneDrive.exe', '%\\svchost.exe',
    '%\\MsMpEng.exe', '%\\SearchIndexer.exe', '%\\WerFault.exe', '%\\spoolsv.exe')
  AND NOT destinationip INCIDR '10.0.0.0/8'
  AND NOT destinationip INCIDR '172.16.0.0/12'
  AND NOT destinationip INCIDR '192.168.0.0/16'
  AND NOT destinationip INCIDR '127.0.0.0/8'
  AND NOT destinationip INCIDR '169.254.0.0/16'
GROUP BY sourceip, username, "Process Name", "Command Line", destinationip, destinationport
HAVING COUNT(*) >= 5
  AND (MAX(LONG(starttime)) - MIN(LONG(starttime))) / 60.0 >= 20
  AND ((MAX(LONG(starttime)) - MIN(LONG(starttime))) / 60.0) / (COUNT(*) - 1) BETWEEN 1.0 AND 120.0
LAST 1 DAYS

UNION ALL

-- Part 2: Scheduled task process spawning exfiltration tools (Sysmon Event ID 1)
SELECT
  sourceip AS HostIP,
  username AS AccountName,
  "Process Name" AS ProcessName,
  "Command Line" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  "Parent Command Line" AS ParentCommandLine,
  1 AS ConnectionCount,
  DATEFORMAT(starttime*1000, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  0.0 AS AvgIntervalMinutes
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND eventid = 1
  AND (
    "Parent Process Name" ILIKE '%\\taskeng.exe'
    OR "Parent Process Name" ILIKE '%\\taskhostw.exe'
    OR "Parent Process Name" ILIKE '%\\schtasks.exe'
    OR ("Parent Process Name" ILIKE '%\\svchost.exe'
        AND "Parent Command Line" ILIKE '%Schedule%')
  )
  AND (
    "Process Name" ILIKE ANY ('%\\curl.exe', '%\\certutil.exe', '%\\bitsadmin.exe',
      '%\\ftp.exe', '%\\tftp.exe', '%\\rclone.exe', '%\\nc.exe',
      '%\\ncat.exe', '%\\robocopy.exe')
    OR (
      ("Process Name" ILIKE '%\\powershell.exe' OR "Process Name" ILIKE '%\\pwsh.exe')
      AND ("Command Line" ILIKE '%Invoke-WebRequest%' OR "Command Line" ILIKE '%WebClient%'
           OR "Command Line" ILIKE '%UploadFile%' OR "Command Line" ILIKE '%UploadData%'
           OR "Command Line" ILIKE '%FtpWebRequest%' OR "Command Line" ILIKE '%HttpClient%')
    )
    OR (
      "Process Name" ILIKE '%\\cmd.exe'
      AND ("Command Line" ILIKE '%curl%' OR "Command Line" ILIKE '%certutil%'
           OR "Command Line" ILIKE '%bitsadmin%' OR "Command Line" ILIKE '% ftp %')
    )
  )
LAST 1 DAYS
ORDER BY ConnectionCount DESC
high severity medium confidence

Two AQL queries unioned for T1029 Scheduled Transfer detection. Part 1 aggregates Sysmon Event ID 3 (network connections) grouped by host/process/destination IP, filtering to 5+ connections with TimeSpanMinutes >= 20 and AvgIntervalMinutes between 1 and 120 — classic beaconing math applied at query time. Part 2 joins Sysmon Event ID 1 (process creation) to catch task scheduler parents spawning data transfer tools. Note: 'Process Name', 'Command Line', and 'Parent Process Name' are Sysmon custom properties that require corresponding QRadar DSM field extractions to be configured.

Data Sources

IBM QRadar with Microsoft Sysmon DSM configuredQRadar with custom properties: Process Name, Command Line, Parent Process Name, Parent Command LineWindows endpoint Sysmon forwarding to QRadar via WinCollect or syslog

Required Tables

events

False Positives & Tuning

  • Enterprise backup agents (CommVault simpana, NetBackup nbwin.exe) generating high-frequency connections to media servers via Task Scheduler — add their specific process names to the exclusion ILIKE list
  • IT configuration management clients (Puppet Agent, Chef Client, Ansible pull via scheduled task) checking for updates every 30 minutes using PowerShell or curl — high AvgIntervalMinutes values will appear
  • SCOM management agent or Zabbix active agent performing scheduled data collection jobs via schtasks, generating regular beaconing to management servers on fixed polling intervals
Download portable Sigma rule (.yml)

Other platforms for T1029

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows — Scheduled Task Periodic HTTP Transfer (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create for schtasks.exe with CommandLine containing '/create /sc MINUTE /mo 5'. Windows Security Event ID 4698 (A scheduled task was created) in the Security event log. When the task fires: Sysmon Event ID 1 for taskhostw.exe spawning powershell.exe with '-WindowStyle Hidden'. Sysmon Event ID 3 for the network connection attempt to 127.0.0.1:8080.

  2. Test 2Windows — Simulated Beacon Loop with Fixed Sleep Interval

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the loop command. Sysmon Event ID 3: Three network connection events to 127.0.0.1:9999 spaced approximately 120 seconds apart, all with the same InitiatingProcessId. The beaconing detection aggregates these into ConnectionCount=3 with AvgIntervalMinutes ≈ 2.0.

  3. Test 3Linux — Cron-Based Periodic Exfiltration Simulation

    Expected signal: Auditd event (if configured with -w /var/spool/cron/crontabs -p wa): SYSCALL write to the crontab file. Cron daemon syslog entry (/var/log/syslog or /var/log/cron): 'CRON[<pid>]: (<user>) CMD (curl -s -X POST...)' every 5 minutes. Syslog or auditd execve events for curl spawned by cron daemon (PPID = crond). Network connection from curl to 127.0.0.1:8080.

  4. Test 4Windows — BITS Job Scheduled Data Exfiltration Simulation

    Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /create, /addfile, /resume subcommands. Sysmon Event ID 3: Network connection from svchost.exe (BITS service) to 127.0.0.1:8080 when the job attempts execution. Windows Application Event Log: Microsoft-Windows-Bits-Client/Operational — Event ID 3 (job created), 59 (job started), 61 (job error on failed connection). Security Event ID 4688 for bitsadmin.exe if command line auditing is enabled.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1029 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1020Automated ExfiltrationT1020.001Traffic DuplicationT1053.005Scheduled TaskT1053.003CronT1560Archive Collected DataT1132Data EncodingT1071Application Layer Protocol

Same Tactic: Exfiltration

Popular Detections