T1029 Splunk · SPL

Detect Scheduled Transfer in Splunk

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This is commonly observed in malware configured to beacon or exfiltrate at fixed intervals (e.g., every 10 minutes, every 8 hours) or only during business hours to blend with normal traffic. Scheduled transfer almost always combines with another exfiltration technique such as Exfiltration Over C2 Channel (T1041) or Exfiltration Over Alternative Protocol (T1048). Real-world examples include ComRAT sleeping outside 9-to-5 Monday–Friday, LightNeuron configuring nighttime-only exfiltration windows, ADVSTORESHELL compressing and exfiltrating every 10 minutes, and Cobalt Strike Beacon using randomized sleep intervals to resist frequency-based detection.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1029 Scheduled Transfer
Canonical reference
https://attack.mitre.org/techniques/T1029/

SPL Detection Query

Splunk (SPL)
spl 
| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  NOT (Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe"
       OR Image="*\\MicrosoftEdge.exe" OR Image="*\\iexplore.exe" OR Image="*\\teams.exe"
       OR Image="*\\outlook.exe" OR Image="*\\slack.exe" OR Image="*\\zoom.exe"
       OR Image="*\\OneDrive.exe" OR Image="*\\svchost.exe" OR Image="*\\MsMpEng.exe"
       OR Image="*\\SearchIndexer.exe" OR Image="*\\WerFault.exe" OR Image="*\\spoolsv.exe")
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
       OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
       OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*"
       OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
       OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*"
       OR DestinationIp="172.30.*" OR DestinationIp="172.31.*"
       OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="169.254.*")
  | stats count as ConnectionCount, min(_time) as EarliestConn, max(_time) as LatestConn,
          values(DestinationIp) as RemoteIPs, values(DestinationPort) as RemotePorts
    by host, Image, CommandLine, User, DestinationIp
  | where ConnectionCount >= 5
  | eval TimeSpanMinutes=round((LatestConn - EarliestConn) / 60, 2)
  | where TimeSpanMinutes >= 20
  | eval AvgIntervalMinutes=round(TimeSpanMinutes / (ConnectionCount - 1), 2)
  | where AvgIntervalMinutes >= 1 AND AvgIntervalMinutes <= 120
  | eval IsHighConfidenceBeacon=if(ConnectionCount >= 8 AND AvgIntervalMinutes >= 5 AND AvgIntervalMinutes <= 30, "true", "false")
  | eval DetectionType="Beaconing"
  | eval EarliestConn=strftime(EarliestConn, "%Y-%m-%d %H:%M:%S")
  | eval LatestConn=strftime(LatestConn, "%Y-%m-%d %H:%M:%S")
  | table host, User, Image, CommandLine, DestinationIp, RemotePorts,
           ConnectionCount, AvgIntervalMinutes, TimeSpanMinutes,
           EarliestConn, LatestConn, IsHighConfidenceBeacon, DetectionType
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (ParentImage="*\\taskeng.exe" OR ParentImage="*\\taskhostw.exe" OR ParentImage="*\\schtasks.exe"
   OR (ParentImage="*\\svchost.exe" AND ParentCommandLine="*Schedule*"))
  (Image="*\\curl.exe" OR Image="*\\certutil.exe" OR Image="*\\bitsadmin.exe"
   OR Image="*\\ftp.exe" OR Image="*\\tftp.exe" OR Image="*\\rclone.exe"
   OR Image="*\\nc.exe" OR Image="*\\ncat.exe" OR Image="*\\robocopy.exe"
   OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
       AND (CommandLine="*Invoke-WebRequest*" OR CommandLine="*WebClient*"
            OR CommandLine="*UploadFile*" OR CommandLine="*UploadData*"
            OR CommandLine="*FtpWebRequest*" OR CommandLine="*HttpClient*"))
   OR (Image="*\\cmd.exe"
       AND (CommandLine="*curl*" OR CommandLine="*certutil*"
            OR CommandLine="*bitsadmin*" OR CommandLine=" *ftp *")))
  | eval DetectionType="ScheduledTaskExfil"
  | eval IsHighConfidenceBeacon="false"
  | eval AvgIntervalMinutes=0, ConnectionCount=1
  | table host, User, Image, CommandLine, ParentImage, ParentCommandLine,
           ConnectionCount, AvgIntervalMinutes, IsHighConfidenceBeacon, DetectionType
]
| sort - ConnectionCount
high severity medium confidence

Detects T1029 Scheduled Transfer via two complementary SPL searches combined with union. The first branch uses Sysmon Event ID 3 (Network Connection) to identify non-browser processes making 5 or more connections to the same external IP at regular intervals (1–120 minute average interval). The AvgIntervalMinutes field is computed from the time span divided by connection count. The IsHighConfidenceBeacon flag is set when 8+ connections occur at 5–30 minute intervals. The second branch uses Sysmon Event ID 1 (Process Create) to find known data transfer utilities (curl, certutil, bitsadmin, ftp, rclone, PowerShell upload methods) spawned by Task Scheduler host processes.

Data Sources

Network Traffic: Network Connection CreationProcess: Process CreationSysmon Event ID 3Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Monitoring agents (Datadog, SolarWinds, New Relic, PRTG) making periodic health check calls to external SaaS endpoints at fixed intervals
  • Backup and sync software with scheduled upload tasks that spawn curl or robocopy from Task Scheduler context
  • Software update mechanisms (antivirus DAT updates, WSUS client polls) making periodic external connections
  • Legitimate automation scripts scheduled via Task Scheduler that use PowerShell WebClient or curl for approved data uploads
  • Cloud sync clients running as scheduled tasks that make regular connections to provider endpoints
Download portable Sigma rule (.yml)

Other platforms for T1029

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows — Scheduled Task Periodic HTTP Transfer (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create for schtasks.exe with CommandLine containing '/create /sc MINUTE /mo 5'. Windows Security Event ID 4698 (A scheduled task was created) in the Security event log. When the task fires: Sysmon Event ID 1 for taskhostw.exe spawning powershell.exe with '-WindowStyle Hidden'. Sysmon Event ID 3 for the network connection attempt to 127.0.0.1:8080.

  2. Test 2Windows — Simulated Beacon Loop with Fixed Sleep Interval

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the loop command. Sysmon Event ID 3: Three network connection events to 127.0.0.1:9999 spaced approximately 120 seconds apart, all with the same InitiatingProcessId. The beaconing detection aggregates these into ConnectionCount=3 with AvgIntervalMinutes ≈ 2.0.

  3. Test 3Linux — Cron-Based Periodic Exfiltration Simulation

    Expected signal: Auditd event (if configured with -w /var/spool/cron/crontabs -p wa): SYSCALL write to the crontab file. Cron daemon syslog entry (/var/log/syslog or /var/log/cron): 'CRON[<pid>]: (<user>) CMD (curl -s -X POST...)' every 5 minutes. Syslog or auditd execve events for curl spawned by cron daemon (PPID = crond). Network connection from curl to 127.0.0.1:8080.

  4. Test 4Windows — BITS Job Scheduled Data Exfiltration Simulation

    Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /create, /addfile, /resume subcommands. Sysmon Event ID 3: Network connection from svchost.exe (BITS service) to 127.0.0.1:8080 when the job attempts execution. Windows Application Event Log: Microsoft-Windows-Bits-Client/Operational — Event ID 3 (job created), 59 (job started), 61 (job error on failed connection). Security Event ID 4688 for bitsadmin.exe if command line auditing is enabled.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1029 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1020Automated ExfiltrationT1020.001Traffic DuplicationT1053.005Scheduled TaskT1053.003CronT1560Archive Collected DataT1132Data EncodingT1071Application Layer Protocol

Same Tactic: Exfiltration

Popular Detections