Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-CloudCLI-ScheduledExfil.
Upgrade to ProDetect Scheduled Transfer via Cloud Sync/Backup CLI Tools in Splunk
Adversaries increasingly implement Scheduled Transfer (T1029) not with custom malware beacon loops but by abusing legitimate, already-installed cloud sync and backup command-line tools — rclone, restic, aws-cli (s3 sync/cp), azcopy, and gsutil — invoked on a fixed interval via cron, systemd timers, or Windows Task Scheduler. This approach blends with routine backup/sync traffic, uses signed and expected binaries, and often targets attacker-controlled cloud storage (a non-corporate S3 bucket, a personal rclone remote, a throwaway Backblaze/Azure account) rather than a custom C2 server, evading network-signature and IP-reputation detections. This pattern has been widely observed in ransomware pre-encryption exfiltration (rclone is the single most frequently recovered exfiltration tool across ransomware IR engagements) and in insider-driven bulk data theft where a scheduled job is created to stage and ship data outside normal working hours. This detection complements the existing T1029 coverage (which focuses on raw network beaconing and generic scheduled-task-spawns-transfer-tool patterns) by specifically fingerprinting cloud-storage CLI syntax, non-corporate destination indicators, and the scheduler-persistence mechanism used to make the transfer recurring.
MITRE ATT&CK
- Tactic
- Exfiltration
SPL Detection Query
// Alert 1: Cloud sync/backup CLI tools launched by a scheduler parent process
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\rclone.exe" OR Image="*\\restic.exe" OR Image="*\\aws.exe" OR Image="*\\azcopy.exe"
OR Image="*\\gsutil.exe" OR Image="*\\gsutil.cmd" OR Image="*\\mc.exe")
(ParentImage="*\\taskeng.exe" OR ParentImage="*\\taskhostw.exe" OR ParentImage="*\\svchost.exe" OR ParentImage="*\\schtasks.exe")
| eval UploadVerb=if(match(CommandLine, "(?i)(sync|copy|\\bcp\\b|\\bput\\b|push|backup|\\bmb\\b)"), "true", "false")
| eval DetectionType="SchedulerLaunchedCloudCLI"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, UploadVerb, DetectionType
| append [
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\rclone.exe" OR Image="*\\restic.exe" OR Image="*\\aws.exe" OR Image="*\\azcopy.exe"
OR Image="*\\gsutil.exe" OR Image="*\\mc.exe")
(CommandLine="*sync*" OR CommandLine="*copy*" OR CommandLine="* cp *" OR CommandLine="*put*" OR CommandLine="*push*")
| bin _time span=1d as DayBucket
| stats count as RunCount, dc(DayBucket) as ActiveDays, earliest(_time) as FirstRun, latest(_time) as LastRun, values(CommandLine) as SampleCommandLines by host, User, Image
| where RunCount >= 3 AND ActiveDays >= 2
| eval AvgIntervalHours=round((LastRun - FirstRun) / 3600 / (RunCount - 1), 1)
| eval DetectionType="RecurringCloudCLIUpload"
| table LastRun, host, User, Image, SampleCommandLines, RunCount, ActiveDays, AvgIntervalHours, DetectionType
]
| sort - _time Two SPL searches unioned for T1029 via cloud CLI tooling. The first uses Sysmon Event ID 1 to identify rclone/restic/aws-cli/azcopy/gsutil/mc spawned by Task Scheduler host processes, flagging upload-verb command lines. The second aggregates the same binaries across a 1-day bucket to find 3+ upload-verb invocations spanning 2+ distinct days per host/user, which captures the recurring-schedule pattern even when the launching parent process (e.g. a systemd/cron wrapper) is not itself informative.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Sanctioned nightly backup jobs using rclone/restic scheduled via Task Scheduler to an approved corporate cloud destination
- DevOps pipelines invoking aws s3 sync or azcopy on a cron/timer to push artifacts to an approved bucket or container
- MSP or managed-backup tooling that wraps rclone for scheduled multi-tenant backup rotation
Other platforms for THREAT-CloudCLI-ScheduledExfil
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows — Scheduled Task Running rclone Sync to External Remote
Expected signal: Windows Security Event ID 4698 (scheduled task created) for task name 'CloudBackupSync'. Sysmon Event ID 1 for schtasks.exe process creation with '/create /sc MINUTE /mo 30' in the command line. When the task fires: Sysmon Event ID 1 for taskhostw.exe spawning cmd.exe spawning rclone.exe with 'sync' in the command line.
- Test 2Windows — Recurring aws s3 sync Invocations Simulating a Scheduled Exfiltration Job
Expected signal: Sysmon Event ID 1: three Process Create events for aws.exe with 's3', 'sync', and '--endpoint-url' in the command line, spaced a few seconds apart (compressed for testing; production pattern spans days). Sysmon Event ID 3: connection attempts to 127.0.0.1:9999.
- Test 3Linux — Systemd Timer Triggering Scheduled restic Backup to External Repository
Expected signal: Auditd or Sysmon-for-Linux: file write events for /etc/systemd/system/restic-sync-test.service and .timer. Process execution events for systemctl with 'daemon-reload' and 'enable --now'. When the timer fires: execve event for restic with 'backup' argument, PPID belonging to systemd.
References (7)
- https://attack.mitre.org/techniques/T1029/
- https://rclone.org/docs/
- https://redcanary.com/blog/threat-intelligence/rclone-mass-file-transfer/
- https://www.cisa.gov/news-events/cybersecurity-advisories
- https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1029/T1029.md
- https://www.freedesktop.org/software/systemd/man/systemd.timer.html
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-CloudCLI-ScheduledExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (3)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.
- THREAT-ArchiveStaging-ScheduledExfilScheduled Batch Exfiltration of Compressed Archive StagingUse for archive staging — rar/7z multi-volume splitting ahead of a timed transfer, typical of ransomware double-extortion.
- THREAT-Exfil-ScheduledBulkTransferScheduled Off-Hours Bulk Data TransferUse for network-side detection — off-hours bulk-volume NetFlow, when you have no endpoint scheduler visibility.
- THREAT-Exfiltration-LinuxCronScheduledExfilScheduled Data Exfiltration via Linux Cron JobsUse for Linux hosts — cron/systemd-timer job creation correlated with auditd execution and outbound transfer.