title: Scheduled Transfer (T1029) id: df00tech-t1029 status: experimental description: "Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This is commonly observed in malware configured to beacon or exfiltrate at fixed intervals (e.g., every 10 minutes, every 8 hours) or only during business hours to blend with normal traffic. Scheduled transfer almost always combines with another exfiltration technique such as Exfiltration Over C2 Channel (T1041) or Exfiltration Over Alternative Protocol (T1048). Real-world examples include ComRAT sleeping outside 9-to-5 Monday–Friday, LightNeuron configuring nighttime-only exfiltration windows, ADVSTORESHELL compressing and exfiltrating every 10 minutes, and Cobalt Strike Beacon using randomized sleep intervals to resist frequency-based detection." references: - https://attack.mitre.org/techniques/T1029/ - https://df00tech.com/detections/T1029 author: df00tech date: 2026/04/16 tags: - attack.t1029 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: process_creation product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Monitoring agents (Datadog, SolarWinds, New Relic, PRTG) that make periodic health checks or metric uploads to cloud endpoints at fixed intervals" - "Backup software (Veeam, Acronis, Backup Exec) with scheduled upload tasks that invoke transfer utilities from svchost or task context" - "Software update services (WSUS clients, antivirus definition updates, patching tools) that poll external servers at regular intervals" - "Legitimate IT automation scripts (Ansible, Chef, Puppet) invoked by the Task Scheduler for periodic configuration synchronisation" - "Cloud sync clients (Dropbox, Box, Google Drive daemon processes) making regular upload connections that are not yet excluded by the process allowlist" level: high