Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfil-ScheduledBulkTransfer.
Upgrade to ProDetect Scheduled Off-Hours Bulk Data Transfer in Google Chronicle
Adversaries may schedule data exfiltration to occur only at specific times of day — typically off-hours, overnight, or during weekends — to blend the transfer with lower baseline traffic and reduce the likelihood of live monitoring or analyst review. This is frequently implemented via a scheduled task, cron job, or malware-internal timer that triggers a bulk upload once collected data has been staged. Detection focuses on identifying large outbound data transfers that occur outside of a host or user's established working-hours baseline, especially when correlated with a scheduled task or cron job creation shortly beforehand.
MITRE ATT&CK
- Tactic
- Exfiltration
YARA-L Detection Query
rule threat_exfil_scheduled_bulk_transfer {
meta:
author = "Argus Detection Engineering"
description = "Detects a scheduled task or cron job creation followed by a large off-hours outbound transfer, indicating T1029 - Scheduled Transfer"
mitre_attack_tactic = "Exfiltration"
mitre_attack_technique = "T1029"
severity = "MEDIUM"
confidence = "MEDIUM"
reference = "https://attack.mitre.org/techniques/T1029/"
version = "1.0"
created = "2026-07-15"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
AND $e1.target.process.file.full_path = /(?i)(schtasks\.exe|at\.exe|crontab)/
AND $e1.target.process.command_line = /(?i)(create|-e)/
$e2.metadata.event_type = "NETWORK_CONNECTION"
AND $e2.network.direction = "OUTBOUND"
AND $e2.network.sent_bytes > 104857600
$e1.principal.hostname = $e2.principal.hostname
match:
$e1.principal.hostname over 6h
condition:
$e1 and $e2
} Chronicle YARA-L 2.0 rule correlating scheduled task/cron creation events with a subsequent large (>100MB) outbound network transfer on the same host within a 6-hour window, indicating T1029 - Scheduled Transfer.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate scheduled backup or replication jobs
- Global teams where off-hours corresponds to a normal working shift
Other platforms for THREAT-Exfil-ScheduledBulkTransfer
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Scheduled Task and Simulate Off-Hours Bulk Upload
Expected signal: Windows Security Event ID 4698 (Scheduled Task Created) for 'df00tech-test-sync' with the encoded PowerShell command in the task action. Sysmon Event ID 1 for the powershell.exe process launched by the Task Scheduler engine (parent: svchost.exe / taskeng.exe). DeviceNetworkEvents/Sysmon Event ID 3 showing an outbound POST of ~120MB to the test endpoint.
- Test 2Cron-Based Scheduled Exfiltration on Linux
Expected signal: Auditd or Sysmon-for-Linux process execution events for `crontab`, followed at the scheduled time by `dd` and `curl` process creation events with the destination URL in the command line. Cron execution log entry in `/var/log/cron` or `journalctl -u cron` at 23:59.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Exfil-ScheduledBulkTransfer — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (3)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.
- THREAT-ArchiveStaging-ScheduledExfilScheduled Batch Exfiltration of Compressed Archive StagingUse for archive staging — rar/7z multi-volume splitting ahead of a timed transfer, typical of ransomware double-extortion.
- THREAT-CloudCLI-ScheduledExfilScheduled Transfer via Cloud Sync/Backup CLI ToolsUse for cloud CLI LOLBins — rclone, restic or azcopy launched by a scheduler rather than a human.
- THREAT-Exfiltration-LinuxCronScheduledExfilScheduled Data Exfiltration via Linux Cron JobsUse for Linux hosts — cron/systemd-timer job creation correlated with auditd execution and outbound transfer.