Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-CloudCLI-ScheduledExfil.

Upgrade to Pro
THREAT-CloudCLI-ScheduledExfil

Scheduled Transfer — Scheduled Transfer via Cloud Sync/Backup CLI Tools

Exfiltration Last updated:

Adversaries increasingly implement Scheduled Transfer (T1029) not with custom malware beacon loops but by abusing legitimate, already-installed cloud sync and backup command-line tools — rclone, restic, aws-cli (s3 sync/cp), azcopy, and gsutil — invoked on a fixed interval via cron, systemd timers, or Windows Task Scheduler. This approach blends with routine backup/sync traffic, uses signed and expected binaries, and often targets attacker-controlled cloud storage (a non-corporate S3 bucket, a personal rclone remote, a throwaway Backblaze/Azure account) rather than a custom C2 server, evading network-signature and IP-reputation detections. This pattern has been widely observed in ransomware pre-encryption exfiltration (rclone is the single most frequently recovered exfiltration tool across ransomware IR engagements) and in insider-driven bulk data theft where a scheduled job is created to stage and ship data outside normal working hours. This detection complements the existing T1029 coverage (which focuses on raw network beaconing and generic scheduled-task-spawns-transfer-tool patterns) by specifically fingerprinting cloud-storage CLI syntax, non-corporate destination indicators, and the scheduler-persistence mechanism used to make the transfer recurring.

What is THREAT-CloudCLI-ScheduledExfil Scheduled Transfer via Cloud Sync/Backup CLI Tools?

Scheduled Transfer via Cloud Sync/Backup CLI Tools (THREAT-CloudCLI-ScheduledExfil) is a sub-technique of Scheduled Transfer (T1029) in the MITRE ATT&CK framework. It maps to the Exfiltration tactic — the adversary is trying to steal data.

This page provides production-ready detection logic for Scheduled Transfer via Cloud Sync/Backup CLI Tools, covering the data sources and telemetry it touches: Process: Process Creation, Scheduled Job: Scheduled Job Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
// THREAT: Scheduled Transfer via Cloud Sync/Backup CLI Tools (T1029)
// Alert 1: Cloud sync/backup CLI tools launched by a scheduler parent process
let CloudCliTools = dynamic(["rclone.exe", "restic.exe", "aws.exe", "azcopy.exe", "gsutil.exe", "gsutil.cmd", "mc.exe"]);
let SchedulerParents = dynamic(["taskeng.exe", "taskhostw.exe", "svchost.exe", "schtasks.exe"]);
let SchedulerLaunches = DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName in~ (CloudCliTools)
| where InitiatingProcessFileName in~ (SchedulerParents)
| extend UploadVerb = ProcessCommandLine has_any ("sync", "copy", "cp ", "put", "push", "backup", "mb ")
| extend NonCorpDestination = ProcessCommandLine has_any (
    "rclone.conf", "personal", "backup-personal"
  ) or ProcessCommandLine matches regex @"s3://(?!corp-|df00tech-|company-)"
| extend DetectionType = "SchedulerLaunchedCloudCLI"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         UploadVerb, NonCorpDestination, DetectionType;
// Alert 2: Same cloud CLI tool invoked repeatedly (>= 3 times) with upload verbs across a multi-day window — the recurring-schedule signature
let RecurringUploads = DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName in~ (CloudCliTools)
| where ProcessCommandLine has_any ("sync", "copy", "cp ", "put", "push")
| summarize
    RunCount = count(),
    FirstRun = min(Timestamp),
    LastRun = max(Timestamp),
    ActiveDays = dcount(bin(Timestamp, 1d)),
    SampleCommandLine = any(ProcessCommandLine)
  by DeviceName, AccountName, FileName
| where RunCount >= 3 and ActiveDays >= 2
| extend AvgIntervalHours = round(datetime_diff('hour', LastRun, FirstRun) * 1.0 / (RunCount - 1), 1)
| extend DetectionType = "RecurringCloudCLIUpload"
| project Timestamp = LastRun, DeviceName, AccountName, FileName,
         ProcessCommandLine = SampleCommandLine, RunCount, ActiveDays, AvgIntervalHours, DetectionType;
union SchedulerLaunches, RecurringUploads
| sort by Timestamp desc

Detects T1029 implemented through legitimate cloud CLI tooling on a schedule. Alert 1 flags rclone/restic/aws-cli/azcopy/gsutil/mc launched with a Task Scheduler or service-host parent process, distinguishing an interactively-run backup from one triggered on a timer. Alert 2 flags the same binary invoked 3+ times with upload verbs (sync/copy/cp/put/push) across 2 or more distinct days — the behavioural signature of a recurring scheduled job — independent of whether the launching parent is captured. Both alerts surface the destination command line for manual review since the tools themselves are dual-use.

high severity medium confidence

Data Sources

Process: Process Creation Scheduled Job: Scheduled Job Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

  • Approved backup software using rclone or restic as its underlying transfer engine, scheduled via Task Scheduler as part of a sanctioned nightly backup job to corporate cloud storage
  • IT/DevOps automation that runs aws s3 sync or azcopy on a timer to push build artifacts or logs to an approved corporate bucket/container
  • Data engineering pipelines that schedule gsutil or aws-cli transfers between internal systems and an approved analytics data lake
  • Managed service provider (MSP) tooling that uses rclone under the hood for multi-tenant customer backup rotation

Sigma rule & cross-platform mapping

The detection logic for Scheduled Transfer via Cloud Sync/Backup CLI Tools (THREAT-CloudCLI-ScheduledExfil) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows — Scheduled Task Running rclone Sync to External Remote

    Expected signal: Windows Security Event ID 4698 (scheduled task created) for task name 'CloudBackupSync'. Sysmon Event ID 1 for schtasks.exe process creation with '/create /sc MINUTE /mo 30' in the command line. When the task fires: Sysmon Event ID 1 for taskhostw.exe spawning cmd.exe spawning rclone.exe with 'sync' in the command line.

  2. Test 2Windows — Recurring aws s3 sync Invocations Simulating a Scheduled Exfiltration Job

    Expected signal: Sysmon Event ID 1: three Process Create events for aws.exe with 's3', 'sync', and '--endpoint-url' in the command line, spaced a few seconds apart (compressed for testing; production pattern spans days). Sysmon Event ID 3: connection attempts to 127.0.0.1:9999.

  3. Test 3Linux — Systemd Timer Triggering Scheduled restic Backup to External Repository

    Expected signal: Auditd or Sysmon-for-Linux: file write events for /etc/systemd/system/restic-sync-test.service and .timer. Process execution events for systemctl with 'daemon-reload' and 'enable --now'. When the timer fires: execve event for restic with 'backup' argument, PPID belonging to systemd.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-CloudCLI-ScheduledExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections