Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-CloudCLI-ScheduledExfil.

Upgrade to Pro
THREAT-CloudCLI-ScheduledExfil IBM QRadar · QRadar

Detect Scheduled Transfer via Cloud Sync/Backup CLI Tools in IBM QRadar

Adversaries increasingly implement Scheduled Transfer (T1029) not with custom malware beacon loops but by abusing legitimate, already-installed cloud sync and backup command-line tools — rclone, restic, aws-cli (s3 sync/cp), azcopy, and gsutil — invoked on a fixed interval via cron, systemd timers, or Windows Task Scheduler. This approach blends with routine backup/sync traffic, uses signed and expected binaries, and often targets attacker-controlled cloud storage (a non-corporate S3 bucket, a personal rclone remote, a throwaway Backblaze/Azure account) rather than a custom C2 server, evading network-signature and IP-reputation detections. This pattern has been widely observed in ransomware pre-encryption exfiltration (rclone is the single most frequently recovered exfiltration tool across ransomware IR engagements) and in insider-driven bulk data theft where a scheduled job is created to stage and ship data outside normal working hours. This detection complements the existing T1029 coverage (which focuses on raw network beaconing and generic scheduled-task-spawns-transfer-tool patterns) by specifically fingerprinting cloud-storage CLI syntax, non-corporate destination indicators, and the scheduler-persistence mechanism used to make the transfer recurring.

MITRE ATT&CK

Tactic
Exfiltration

QRadar Detection Query

IBM QRadar (QRadar)
sql
-- Alert 1: Cloud CLI tool launched by a scheduler parent process
SELECT
  sourceip AS HostIP,
  username AS AccountName,
  "Process Name" AS ProcessName,
  "Command Line" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND eventid = 1
  AND "Process Name" ILIKE ANY ('%\\rclone.exe', '%\\restic.exe', '%\\aws.exe', '%\\azcopy.exe', '%\\gsutil.exe', '%\\mc.exe')
  AND "Parent Process Name" ILIKE ANY ('%\\taskeng.exe', '%\\taskhostw.exe', '%\\svchost.exe', '%\\schtasks.exe')
  AND "Command Line" ILIKE ANY ('%sync%', '%copy%', '% cp %', '%put%', '%push%', '%backup%')
LAST 14 DAYS

UNION ALL

-- Alert 2: Same binary invoked 3+ times with upload verbs, aggregated per host/user over the window
SELECT
  sourceip AS HostIP,
  username AS AccountName,
  "Process Name" AS ProcessName,
  COUNT(*) AS RunCount,
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstRun,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastRun
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND eventid = 1
  AND "Process Name" ILIKE ANY ('%\\rclone.exe', '%\\restic.exe', '%\\aws.exe', '%\\azcopy.exe', '%\\gsutil.exe')
  AND "Command Line" ILIKE ANY ('%sync%', '%copy%', '% cp %', '%put%', '%push%')
GROUP BY sourceip, username, "Process Name"
HAVING COUNT(*) >= 3
LAST 14 DAYS
ORDER BY EventTime DESC
high severity medium confidence

Two AQL queries unioned for T1029 detection via cloud CLI tooling. The first matches Sysmon Event ID 1 where a cloud sync/backup CLI binary is launched by a Task Scheduler or service-host parent with an upload-style command-line verb. The second aggregates the same binaries per host/user across a 14-day window, surfacing accounts that have invoked an upload verb 3 or more times — the recurring-schedule signal. Requires Sysmon DSM field extractions for 'Process Name', 'Command Line', and 'Parent Process Name' to be configured in QRadar.

Data Sources

IBM QRadar with Microsoft Sysmon DSM configuredQRadar with custom properties: Process Name, Command Line, Parent Process Name

Required Tables

events

False Positives & Tuning

  • Enterprise backup agents wrapping rclone/restic and scheduled via Task Scheduler to approved storage destinations
  • Configuration management or CI/CD tooling using aws-cli/azcopy on a recurring schedule to push to an approved bucket/container
  • Data platform teams running scheduled gsutil/aws-cli transfers between internal systems and an approved analytics data lake

Other platforms for THREAT-CloudCLI-ScheduledExfil


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows — Scheduled Task Running rclone Sync to External Remote

    Expected signal: Windows Security Event ID 4698 (scheduled task created) for task name 'CloudBackupSync'. Sysmon Event ID 1 for schtasks.exe process creation with '/create /sc MINUTE /mo 30' in the command line. When the task fires: Sysmon Event ID 1 for taskhostw.exe spawning cmd.exe spawning rclone.exe with 'sync' in the command line.

  2. Test 2Windows — Recurring aws s3 sync Invocations Simulating a Scheduled Exfiltration Job

    Expected signal: Sysmon Event ID 1: three Process Create events for aws.exe with 's3', 'sync', and '--endpoint-url' in the command line, spaced a few seconds apart (compressed for testing; production pattern spans days). Sysmon Event ID 3: connection attempts to 127.0.0.1:9999.

  3. Test 3Linux — Systemd Timer Triggering Scheduled restic Backup to External Repository

    Expected signal: Auditd or Sysmon-for-Linux: file write events for /etc/systemd/system/restic-sync-test.service and .timer. Process execution events for systemctl with 'daemon-reload' and 'enable --now'. When the timer fires: execve event for restic with 'backup' argument, PPID belonging to systemd.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-CloudCLI-ScheduledExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections