1. Home
  2. Detection Strategies
  3. Detection Strategy for Scheduled Transfer and Recurrent Exfiltration Patterns

Detection Strategy for Scheduled Transfer and Recurrent Exfiltration Patterns

Technique Detected:  Scheduled Transfer | T1029

ID: DET0399
Domains: Enterprise
Analytics: AN1118, AN1119, AN1120
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1118

Recurring network exfiltration initiated by scheduled or script-based processes exhibiting time-based regularity and consistent external destinations.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Scheduled Job Metadata (DC0005) WinEventLog:System EventCode=106, 200
Mutable Elements
Field Description
TimeWindow Duration threshold to consider a connection repetitive (e.g., same hour daily)
DestIPAllowlist Known external destinations to exclude (e.g., approved SFTP/backup servers)
ParentProcessBaseline Allowlisted job runners or scripts known to schedule legitimate transfers

AN1119

Detection of cron-based or script-based recurring transfers where the same script, user, or destination reappears at predictable intervals.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Scheduled Job Metadata (DC0005) linux:cron cron activity
Network Connection Creation (DC0082) NSM:Flow Outbound Connections
Mutable Elements
Field Description
ScriptPathRegex Path patterns for shell scripts responsible for scheduled transfers
CronIntervalThreshold Minimum repetition frequency (e.g., 24h for daily jobs)
ExfilUserContext Suspicious or unexpected users launching scheduled transfers

AN1120

LaunchAgent or launchd recurring jobs initiating data transfer to consistent external IPs or domains with repeat timing signatures.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
Scheduled Job Metadata (DC0005) macos:launchd launchd.plist and logs
Network Traffic Flow (DC0078) macos:unifiedlog networkd or com.apple.network
Mutable Elements
Field Description
AgentPathPatterns Regex for job locations like ~/Library/LaunchAgents/
RepeatIntervalDelta Time-based logic to determine schedule (e.g., ~24h ± 5m)
UserHomeJobs Transfers originating from non-admin user context