T1029 Microsoft Sentinel · KQL

Detect Scheduled Transfer in Microsoft Sentinel

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This is commonly observed in malware configured to beacon or exfiltrate at fixed intervals (e.g., every 10 minutes, every 8 hours) or only during business hours to blend with normal traffic. Scheduled transfer almost always combines with another exfiltration technique such as Exfiltration Over C2 Channel (T1041) or Exfiltration Over Alternative Protocol (T1048). Real-world examples include ComRAT sleeping outside 9-to-5 Monday–Friday, LightNeuron configuring nighttime-only exfiltration windows, ADVSTORESHELL compressing and exfiltrating every 10 minutes, and Cobalt Strike Beacon using randomized sleep intervals to resist frequency-based detection.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1029 Scheduled Transfer
Canonical reference
https://attack.mitre.org/techniques/T1029/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1029 Scheduled Transfer — Beaconing pattern detection and scheduled-task-triggered exfiltration
// Part 1: Regular-interval connections from non-browser, non-system processes to public IPs
let ExcludedProcesses = dynamic([
    "chrome.exe", "firefox.exe", "msedge.exe", "MicrosoftEdge.exe", "iexplore.exe",
    "teams.exe", "outlook.exe", "slack.exe", "zoom.exe", "OneDrive.exe",
    "svchost.exe", "MsMpEng.exe", "SecurityHealthService.exe", "SenseIR.exe",
    "SearchIndexer.exe", "WerFault.exe", "wuauclt.exe", "msiexec.exe",
    "spoolsv.exe", "lsass.exe", "services.exe", "smss.exe"
]);
let ExfiltrationTools = dynamic([
    "curl.exe", "certutil.exe", "bitsadmin.exe", "ftp.exe", "tftp.exe",
    "rclone.exe", "wget.exe", "nc.exe", "ncat.exe", "robocopy.exe"
]);
// Beaconing pattern: >= 5 connections to same external IP with regular interval
let BeaconingAlerts = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ (ExcludedProcesses)
| summarize
    ConnectionCount = count(),
    EarliestConnection = min(Timestamp),
    LatestConnection = max(Timestamp),
    BytesSent = sum(SentBytes),
    BytesReceived = sum(ReceivedBytes),
    Ports = make_set(RemotePort, 10)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
     InitiatingProcessAccountName, RemoteIP
| where ConnectionCount >= 5
| extend TimeSpanMinutes = datetime_diff('minute', LatestConnection, EarliestConnection)
| where TimeSpanMinutes >= 20
| extend AvgIntervalMinutes = toreal(TimeSpanMinutes) / toreal(ConnectionCount - 1)
| where AvgIntervalMinutes between (1.0 .. 120.0)
| extend DetectionType = "Beaconing"
| extend IsHighConfidenceBeacon = (ConnectionCount >= 8 and AvgIntervalMinutes between (5.0 .. 30.0))
| project Timestamp = LatestConnection, DeviceName,
          AccountName = InitiatingProcessAccountName,
          ProcessName = InitiatingProcessFileName,
          CommandLine = InitiatingProcessCommandLine,
          RemoteIP, Ports, ConnectionCount,
          AvgIntervalMinutes, BytesSent, BytesReceived,
          DetectionType, IsHighConfidenceBeacon;
// Scheduled task spawning data transfer tools
let ScheduledTaskExfil = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("taskeng.exe", "taskhostw.exe", "schtasks.exe")
      or (InitiatingProcessFileName =~ "svchost.exe"
          and InitiatingProcessCommandLine has_any ("-k netsvcs", "Schedule"))
| where FileName in~ (ExfiltrationTools)
      or (FileName in~ ("powershell.exe", "pwsh.exe")
          and ProcessCommandLine has_any (
            "Invoke-WebRequest", "WebClient", "UploadFile", "UploadData",
            "FtpWebRequest", "curl", "wget", "SendAsync", "HttpClient"
          ))
      or (FileName =~ "cmd.exe"
          and ProcessCommandLine has_any ("curl", "ftp", "certutil", "bitsadmin"))
| extend DetectionType = "ScheduledTaskExfil"
| extend IsHighConfidenceBeacon = false
| project Timestamp, DeviceName, AccountName,
          ProcessName = FileName, CommandLine = ProcessCommandLine,
          RemoteIP = "", Ports = dynamic([]), ConnectionCount = 1,
          AvgIntervalMinutes = toreal(0), BytesSent = long(0), BytesReceived = long(0),
          DetectionType, IsHighConfidenceBeacon;
union BeaconingAlerts, ScheduledTaskExfil
| sort by Timestamp desc
high severity medium confidence

Detects T1029 Scheduled Transfer via two complementary methods. First, identifies non-browser/non-system processes making 5 or more connections to the same external IP at regular intervals (1–120 minute average interval over a 20+ minute window) — this behavioral pattern is characteristic of C2 beacons and scheduled exfiltration loops. Second, detects scheduled task host processes (taskeng.exe, taskhostw.exe, svchost.exe with Schedule context) spawning known data transfer utilities (curl, certutil, bitsadmin, ftp, rclone) or PowerShell with upload/download methods. The IsHighConfidenceBeacon flag marks processes with 8+ connections at 5–30 minute intervals as higher-priority alerts.

Data Sources

Network Traffic: Network Connection CreationProcess: Process CreationScheduled Job: Scheduled Job CreationMicrosoft Defender for Endpoint

Required Tables

DeviceNetworkEventsDeviceProcessEvents

False Positives & Tuning

  • Monitoring agents (Datadog, SolarWinds, New Relic, PRTG) that make periodic health checks or metric uploads to cloud endpoints at fixed intervals
  • Backup software (Veeam, Acronis, Backup Exec) with scheduled upload tasks that invoke transfer utilities from svchost or task context
  • Software update services (WSUS clients, antivirus definition updates, patching tools) that poll external servers at regular intervals
  • Legitimate IT automation scripts (Ansible, Chef, Puppet) invoked by the Task Scheduler for periodic configuration synchronisation
  • Cloud sync clients (Dropbox, Box, Google Drive daemon processes) making regular upload connections that are not yet excluded by the process allowlist
Download portable Sigma rule (.yml)

Other platforms for T1029

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows — Scheduled Task Periodic HTTP Transfer (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create for schtasks.exe with CommandLine containing '/create /sc MINUTE /mo 5'. Windows Security Event ID 4698 (A scheduled task was created) in the Security event log. When the task fires: Sysmon Event ID 1 for taskhostw.exe spawning powershell.exe with '-WindowStyle Hidden'. Sysmon Event ID 3 for the network connection attempt to 127.0.0.1:8080.

  2. Test 2Windows — Simulated Beacon Loop with Fixed Sleep Interval

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the loop command. Sysmon Event ID 3: Three network connection events to 127.0.0.1:9999 spaced approximately 120 seconds apart, all with the same InitiatingProcessId. The beaconing detection aggregates these into ConnectionCount=3 with AvgIntervalMinutes ≈ 2.0.

  3. Test 3Linux — Cron-Based Periodic Exfiltration Simulation

    Expected signal: Auditd event (if configured with -w /var/spool/cron/crontabs -p wa): SYSCALL write to the crontab file. Cron daemon syslog entry (/var/log/syslog or /var/log/cron): 'CRON[<pid>]: (<user>) CMD (curl -s -X POST...)' every 5 minutes. Syslog or auditd execve events for curl spawned by cron daemon (PPID = crond). Network connection from curl to 127.0.0.1:8080.

  4. Test 4Windows — BITS Job Scheduled Data Exfiltration Simulation

    Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /create, /addfile, /resume subcommands. Sysmon Event ID 3: Network connection from svchost.exe (BITS service) to 127.0.0.1:8080 when the job attempts execution. Windows Application Event Log: Microsoft-Windows-Bits-Client/Operational — Event ID 3 (job created), 59 (job started), 61 (job error on failed connection). Security Event ID 4688 for bitsadmin.exe if command line auditing is enabled.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1029 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1020Automated ExfiltrationT1020.001Traffic DuplicationT1053.005Scheduled TaskT1053.003CronT1560Archive Collected DataT1132Data EncodingT1071Application Layer Protocol

Same Tactic: Exfiltration

Popular Detections