Detection of automated tools or scripts periodically transmitting data to external destinations using scheduled tasks or background processes.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:security | EventCode=4688 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| TimeWindow | Used to detect repeated exfil activity over intervals (e.g., every 5 minutes). |
| DestinationIP | Can be tuned to filter known internal or trusted destinations. |
Background scripts (e.g., via cron) or daemons transmitting data repeatedly to remote IPs or URLs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Connection Creation (DC0082) | NSM:Flow | Outbound Connections |
| Field | Description |
|---|---|
| CronJobInterval | Tunable time range for recurring tasks seen creating outbound connections. |
| UserContext | Tunable for scope — service accounts vs user accounts. |
Observation of LaunchAgents or LaunchDaemons establishing periodic external connections indicative of automated data transfer.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process: exec |
| Network Connection Creation (DC0082) | macos:unifiedlog | network |
| Scheduled Job Creation (DC0001) | macos:cron | cron/launchd |
| Field | Description |
|---|---|
| LaunchInterval | Frequency of task recurrence linked to external communication. |
| DestinationPort | Port number used for detection filtering. |