1. Home
  2. Detection Strategies
  3. Detection Strategy for Data Transfer Size Limits and Chunked Exfiltration

Detection Strategy for Data Transfer Size Limits and Chunked Exfiltration

Technique Detected:  Data Transfer Size Limits | T1030

ID: DET0213
Domains: Enterprise
Analytics: AN0596, AN0597, AN0598
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0596

Adversary uses a process to establish outbound connections that transmit uniform packet sizes at a consistent interval, avoiding threshold-based network alerts.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Network Traffic Flow (DC0078) NSM:Flow NetFlow/sFlow/PCAP
Mutable Elements
Field Description
PacketSizeThreshold Minimum repetitive size in bytes to consider as anomalous behavior (e.g., 512B or 1024B)
IntervalRepeatWindow Timeframe over which repeated, evenly spaced transfers are flagged
KnownServicePorts Common ports expected to exhibit protocol behavior; outliers flagged if not matching expected usage

AN0597

Outbound connections from non-network-facing processes repeatedly send similarly sized payloads within uniform time intervals.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) auditd:SYSCALL connect/sendto
Network Traffic Flow (DC0078) NSM:Flow Outbound Network Flow
Mutable Elements
Field Description
ProcessNetworkBaseline Whitelist of typical binaries expected to generate outbound connections (e.g., wget, curl)
PayloadLengthVariance Deviation threshold to consider data 'fixed size' (e.g., ±5% size delta)
RepeatFrequencyThreshold Number of observed transfers per minute/hour that signals anomalous repetition

AN0598

Processes on macOS initiate external connections that consistently transmit data in fixed sizes using LaunchAgents or unexpected users.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) macos:unifiedlog com.apple.network
Network Connection Creation (DC0082) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_CONNECT
Mutable Elements
Field Description
LaunchdJobContext Agent context in which transfer occurs (e.g., user/privileged)
TransferSizeMedian Used to define what constitutes 'fixed size' chunks
TransferProtocolOutlier Detect if protocol usage deviates from common apps for given destination