DET0399 Detection Strategy for Scheduled Transfer and Recurrent Exfiltration Patterns
| Item |
Value |
| ID |
DET0399 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1029 (Scheduled Transfer)
Analytics
Windows
AN1118
Recurring network exfiltration initiated by scheduled or script-based processes exhibiting time-based regularity and consistent external destinations.
Log Sources
Mutable Elements
| Field |
Description |
| TimeWindow |
Duration threshold to consider a connection repetitive (e.g., same hour daily) |
| DestIPAllowlist |
Known external destinations to exclude (e.g., approved SFTP/backup servers) |
| ParentProcessBaseline |
Allowlisted job runners or scripts known to schedule legitimate transfers |
Linux
AN1119
Detection of cron-based or script-based recurring transfers where the same script, user, or destination reappears at predictable intervals.
Log Sources
Mutable Elements
| Field |
Description |
| ScriptPathRegex |
Path patterns for shell scripts responsible for scheduled transfers |
| CronIntervalThreshold |
Minimum repetition frequency (e.g., 24h for daily jobs) |
| ExfilUserContext |
Suspicious or unexpected users launching scheduled transfers |
macOS
AN1120
LaunchAgent or launchd recurring jobs initiating data transfer to consistent external IPs or domains with repeat timing signatures.
Log Sources
Mutable Elements
| Field |
Description |
| AgentPathPatterns |
Regex for job locations like ~/Library/LaunchAgents/ |
| RepeatIntervalDelta |
Time-based logic to determine schedule (e.g., ~24h ± 5m) |
| UserHomeJobs |
Transfers originating from non-admin user context |