Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfil-ScheduledBulkTransfer.

Upgrade to Pro
THREAT-Exfil-ScheduledBulkTransfer

Scheduled Transfer — Scheduled Off-Hours Bulk Data Transfer

Exfiltration Last updated:

Adversaries may schedule data exfiltration to occur only at specific times of day — typically off-hours, overnight, or during weekends — to blend the transfer with lower baseline traffic and reduce the likelihood of live monitoring or analyst review. This is frequently implemented via a scheduled task, cron job, or malware-internal timer that triggers a bulk upload once collected data has been staged. Detection focuses on identifying large outbound data transfers that occur outside of a host or user's established working-hours baseline, especially when correlated with a scheduled task or cron job creation shortly beforehand.

What is THREAT-Exfil-ScheduledBulkTransfer Scheduled Off-Hours Bulk Data Transfer?

Scheduled Off-Hours Bulk Data Transfer (THREAT-Exfil-ScheduledBulkTransfer) is a sub-technique of Scheduled Transfer (T1029) in the MITRE ATT&CK framework. It maps to the Exfiltration tactic — the adversary is trying to steal data.

This page provides production-ready detection logic for Scheduled Off-Hours Bulk Data Transfer, covering the data sources and telemetry it touches: Network Traffic: Network Traffic Content, Scheduled Job: Scheduled Job Creation, Process: Process Creation, Microsoft Defender for Endpoint. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
let WorkHoursStart = 7;
let WorkHoursEnd = 19;
// Signal 1: scheduled task or cron-like persistence created shortly before an off-hours transfer
let ScheduledTaskSignal = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("schtasks.exe", "at.exe", "crontab")
| where ProcessCommandLine has_any ("/create", "/sc", "-e")
| project TaskTime=Timestamp, DeviceName, AccountName, TaskCommandLine=ProcessCommandLine;
// Signal 2: large outbound network transfer occurring outside of working hours
let OffHoursTransfer = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where BytesSent > 104857600 // >100MB
| extend HourOfDay = datetime_part("hour", Timestamp)
| where HourOfDay < WorkHoursStart or HourOfDay >= WorkHoursEnd
| extend BytesSentMB = round(toreal(BytesSent) / 1048576, 2)
| project TransferTime=Timestamp, DeviceName, RemoteUrl, RemoteIP, BytesSentMB, InitiatingProcessFileName, InitiatingProcessCommandLine;
OffHoursTransfer
| join kind=leftouter (ScheduledTaskSignal) on DeviceName
| extend HasRecentScheduledTask = isnotempty(TaskCommandLine) and (TransferTime - TaskTime) between (0min .. 6h)
| project TransferTime, DeviceName, RemoteUrl, RemoteIP, BytesSentMB, InitiatingProcessFileName, InitiatingProcessCommandLine, HasRecentScheduledTask, TaskCommandLine
| sort by BytesSentMB desc

Detects large outbound data transfers (>100MB) occurring outside of standard working hours (before 07:00 or after 19:00 local time), then enriches each transfer with whether a scheduled task or at-job was created on the same host within the preceding 6 hours — a strong indicator that the transfer was triggered by a deliberately scheduled exfiltration mechanism rather than incidental off-hours activity (e.g., a batch job or backup).

medium severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Scheduled Job: Scheduled Job Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

  • Legitimate overnight backup jobs (database backups, file server replication, disaster-recovery sync) that are scheduled via Task Scheduler or cron and transfer large volumes of data by design
  • Global organizations where 'off-hours' in one timezone is a normal working period for a distributed team or offshore operations center
  • Scheduled ETL/data-warehouse pipelines that intentionally run overnight to avoid impacting daytime production workloads
  • Software update or patch distribution systems (WSUS, SCCM, Intune) configured to push large payloads overnight

Sigma rule & cross-platform mapping

The detection logic for Scheduled Off-Hours Bulk Data Transfer (THREAT-Exfil-ScheduledBulkTransfer) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Scheduled Task and Simulate Off-Hours Bulk Upload

    Expected signal: Windows Security Event ID 4698 (Scheduled Task Created) for 'df00tech-test-sync' with the encoded PowerShell command in the task action. Sysmon Event ID 1 for the powershell.exe process launched by the Task Scheduler engine (parent: svchost.exe / taskeng.exe). DeviceNetworkEvents/Sysmon Event ID 3 showing an outbound POST of ~120MB to the test endpoint.

  2. Test 2Cron-Based Scheduled Exfiltration on Linux

    Expected signal: Auditd or Sysmon-for-Linux process execution events for `crontab`, followed at the scheduled time by `dd` and `curl` process creation events with the destination URL in the command line. Cron execution log entry in `/var/log/cron` or `journalctl -u cron` at 23:59.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Exfil-ScheduledBulkTransfer — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections