Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfil-ScheduledBulkTransfer.

Upgrade to Pro
THREAT-Exfil-ScheduledBulkTransfer Splunk · SPL

Detect Scheduled Off-Hours Bulk Data Transfer in Splunk

Adversaries may schedule data exfiltration to occur only at specific times of day — typically off-hours, overnight, or during weekends — to blend the transfer with lower baseline traffic and reduce the likelihood of live monitoring or analyst review. This is frequently implemented via a scheduled task, cron job, or malware-internal timer that triggers a bulk upload once collected data has been staged. Detection focuses on identifying large outbound data transfers that occur outside of a host or user's established working-hours baseline, especially when correlated with a scheduled task or cron job creation shortly beforehand.

MITRE ATT&CK

Tactic
Exfiltration

SPL Detection Query

Splunk (SPL)
spl
index=network sourcetype="netflow" OR sourcetype="pan:traffic"
| eval BytesSentMB=round(bytes_out/1048576, 2)
| where bytes_out > 104857600
| eval hour_of_day=strftime(_time, "%H")
| where hour_of_day < 7 OR hour_of_day >= 19
| eval TransferTime=_time
| join type=left host
  [ search index=wineventlog sourcetype="XmlWinEventLog:Security" EventCode=4698
    | eval TaskTime=_time
    | table host, TaskTime, TaskName ]
| eval HasRecentScheduledTask=if(isnotnull(TaskTime) AND (TransferTime - TaskTime) >= 0 AND (TransferTime - TaskTime) <= 21600, 1, 0)
| table TransferTime, host, dest_ip, BytesSentMB, HasRecentScheduledTask, TaskName
| sort - BytesSentMB
medium severity medium confidence

Flags outbound network transfers exceeding 100MB occurring outside 07:00-19:00 local time from netflow/firewall traffic logs, joined against Windows Security Event ID 4698 (Scheduled Task Created) on the same host within the prior 6 hours to identify off-hours transfers likely triggered by a newly created scheduled task rather than routine backup jobs.

Data Sources

NetFlow / Firewall Traffic LogsWindows Security Event ID 4698 (Scheduled Task Created)

Required Sourcetypes

netflowpan:trafficXmlWinEventLog:Security

False Positives & Tuning

  • Scheduled backup or replication jobs that legitimately run overnight and transfer large data volumes
  • Distributed/global teams where the 'off-hours' window overlaps with a legitimate working shift in another timezone
  • Patch management systems pushing large update payloads during maintenance windows

Other platforms for THREAT-Exfil-ScheduledBulkTransfer


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Scheduled Task and Simulate Off-Hours Bulk Upload

    Expected signal: Windows Security Event ID 4698 (Scheduled Task Created) for 'df00tech-test-sync' with the encoded PowerShell command in the task action. Sysmon Event ID 1 for the powershell.exe process launched by the Task Scheduler engine (parent: svchost.exe / taskeng.exe). DeviceNetworkEvents/Sysmon Event ID 3 showing an outbound POST of ~120MB to the test endpoint.

  2. Test 2Cron-Based Scheduled Exfiltration on Linux

    Expected signal: Auditd or Sysmon-for-Linux process execution events for `crontab`, followed at the scheduled time by `dd` and `curl` process creation events with the destination URL in the command line. Cron execution log entry in `/var/log/cron` or `journalctl -u cron` at 23:59.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Exfil-ScheduledBulkTransfer — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections