Detect Scheduled Transfer in Sumo Logic CSE
Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This is commonly observed in malware configured to beacon or exfiltrate at fixed intervals (e.g., every 10 minutes, every 8 hours) or only during business hours to blend with normal traffic. Scheduled transfer almost always combines with another exfiltration technique such as Exfiltration Over C2 Channel (T1041) or Exfiltration Over Alternative Protocol (T1048). Real-world examples include ComRAT sleeping outside 9-to-5 Monday–Friday, LightNeuron configuring nighttime-only exfiltration windows, ADVSTORESHELL compressing and exfiltrating every 10 minutes, and Cobalt Strike Beacon using randomized sleep intervals to resist frequency-based detection.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1029 Scheduled Transfer
- Canonical reference
- https://attack.mitre.org/techniques/T1029/
Sumo Detection Query
// Part 1: Beaconing pattern detection (Sysmon Event ID 3)
(_sourceCategory=windows/sysmon OR _sourceCategory=*sysmon* OR _sourceCategory=endpoint*)
| where EventCode = "3"
| where !matches(Image, /(?i)(chrome|firefox|msedge|MicrosoftEdge|iexplore|teams|outlook|slack|zoom|OneDrive|svchost|MsMpEng|SecurityHealthService|SearchIndexer|WerFault|spoolsv|lsass|services|smss)\.exe$/)
| where !matches(DestinationIp, /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.)/)
| count as ConnectionCount, min(_messageTime) as EarliestMs, max(_messageTime) as LatestMs by _sourceHost, Image, CommandLine, User, DestinationIp, DestinationPort
| where ConnectionCount >= 5
| (LatestMs - EarliestMs) / 60000 as TimeSpanMinutes
| where TimeSpanMinutes >= 20
| TimeSpanMinutes / (ConnectionCount - 1) as AvgIntervalMinutes
| where AvgIntervalMinutes >= 1 and AvgIntervalMinutes <= 120
| if(ConnectionCount >= 8 and AvgIntervalMinutes >= 5 and AvgIntervalMinutes <= 30, "true", "false") as IsHighConfidenceBeacon
| "Beaconing" as DetectionType
| fields _sourceHost, User, Image, CommandLine, DestinationIp, DestinationPort, ConnectionCount, AvgIntervalMinutes, TimeSpanMinutes, IsHighConfidenceBeacon, DetectionType
| sort by ConnectionCount desc
// Part 2: Scheduled task spawning data transfer tools (Sysmon Event ID 1) — run as separate search
(_sourceCategory=windows/sysmon OR _sourceCategory=*sysmon* OR _sourceCategory=endpoint*)
| where EventCode = "1"
| where matches(ParentImage, /(?i)(taskeng|taskhostw|schtasks)\.exe$/) or
(matches(ParentImage, /(?i)svchost\.exe$/) and matches(ParentCommandLine, /Schedule/))
| where matches(Image, /(?i)(curl|certutil|bitsadmin|ftp|tftp|rclone|nc|ncat|robocopy)\.exe$/) or
(matches(Image, /(?i)(powershell|pwsh)\.exe$/) and
matches(CommandLine, /(?i)(Invoke-WebRequest|WebClient|UploadFile|UploadData|FtpWebRequest|HttpClient|SendAsync)/)) or
(matches(Image, /(?i)cmd\.exe$/) and
matches(CommandLine, /(?i)(curl|certutil|bitsadmin| ftp )/))
| "ScheduledTaskExfil" as DetectionType
| "false" as IsHighConfidenceBeacon
| 0 as AvgIntervalMinutes
| 1 as ConnectionCount
| fields _sourceHost, User, Image, CommandLine, ParentImage, ParentCommandLine, ConnectionCount, AvgIntervalMinutes, IsHighConfidenceBeacon, DetectionTypeTwo Sumo Logic searches for T1029 Scheduled Transfer. Part 1 aggregates Sysmon Event ID 3 network connections grouped by host/process/destination IP to compute connection frequency and average interval — fires when 5+ connections exist to the same external IP with intervals between 1 and 120 minutes across a 20+ minute window. IsHighConfidenceBeacon=true when 8+ connections with 5–30 minute intervals. Part 2 matches Sysmon Event ID 1 where task scheduler parents spawn known exfil tools or PowerShell/cmd with data transfer keywords. Run both as scheduled searches or combine via a Sumo Logic Scheduled View.
Data Sources
Required Tables
False Positives & Tuning
- Endpoint security platforms (CrowdStrike Falcon sensor, Carbon Black, Cylance) making periodic telemetry connections to cloud management infrastructure — their process names usually differ from standard browser/OS exclusions and will appear in beaconing results
- Power BI or Tableau Desktop scheduled data refresh tasks fetching data from external APIs via PowerShell WebClient or custom scripts at configured refresh intervals
- Automated testing harnesses or CI agents (Jenkins agent, GitLab Runner) executed by Task Scheduler using curl.exe to poll build servers — high ConnectionCount with consistent AvgIntervalMinutes
Other platforms for T1029
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows — Scheduled Task Periodic HTTP Transfer (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create for schtasks.exe with CommandLine containing '/create /sc MINUTE /mo 5'. Windows Security Event ID 4698 (A scheduled task was created) in the Security event log. When the task fires: Sysmon Event ID 1 for taskhostw.exe spawning powershell.exe with '-WindowStyle Hidden'. Sysmon Event ID 3 for the network connection attempt to 127.0.0.1:8080.
- Test 2Windows — Simulated Beacon Loop with Fixed Sleep Interval
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the loop command. Sysmon Event ID 3: Three network connection events to 127.0.0.1:9999 spaced approximately 120 seconds apart, all with the same InitiatingProcessId. The beaconing detection aggregates these into ConnectionCount=3 with AvgIntervalMinutes ≈ 2.0.
- Test 3Linux — Cron-Based Periodic Exfiltration Simulation
Expected signal: Auditd event (if configured with -w /var/spool/cron/crontabs -p wa): SYSCALL write to the crontab file. Cron daemon syslog entry (/var/log/syslog or /var/log/cron): 'CRON[<pid>]: (<user>) CMD (curl -s -X POST...)' every 5 minutes. Syslog or auditd execve events for curl spawned by cron daemon (PPID = crond). Network connection from curl to 127.0.0.1:8080.
- Test 4Windows — BITS Job Scheduled Data Exfiltration Simulation
Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /create, /addfile, /resume subcommands. Sysmon Event ID 3: Network connection from svchost.exe (BITS service) to 127.0.0.1:8080 when the job attempts execution. Windows Application Event Log: Microsoft-Windows-Bits-Client/Operational — Event ID 3 (job created), 59 (job started), 61 (job error on failed connection). Security Event ID 4688 for bitsadmin.exe if command line auditing is enabled.
References (10)
- https://attack.mitre.org/techniques/T1029/
- https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
- https://www.welivesecurity.com/2020/05/26/operation-lagtime-it-backdoors-government-networks-eastern-asia/
- https://securelist.com/shadowpad-in-corporate-networks/81432/
- https://cobaltstrike.com/help-beacon
- https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1029/T1029.md
- https://www.mandiant.com/resources/blog/identifying-cobalt-strike-team-servers-in-the-wild
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1029 including response playbook, investigation guide, and atomic red team tests.