An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
| ID | Name | Description |
|---|---|---|
| S0622 | AppleSeed |
AppleSeed has divided files if the size is 0x1000000 bytes or more.[1] |
| G0007 | APT28 |
APT28 has split archived exfiltration files into chunks smaller than 1MB.[2] |
| G0096 | APT41 |
APT41 transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection.[3] |
| C0015 | C0015 |
During C0015, the threat actors limited Rclone's bandwidth setting during exfiltration.[4] |
| C0026 | C0026 |
During C0026, the threat actors split encrypted archives containing stolen files and information into 3MB parts prior to exfiltration.[5] |
| S0030 | Carbanak |
Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .[6] |
| S0154 | Cobalt Strike |
Cobalt Strike will break large data sets into smaller chunks for exfiltration.[7] |
| S0170 | Helminth |
Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.[8] |
| S0487 | Kessel |
Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.[9] |
| S1020 | Kevin |
Kevin can exfiltrate data to the C2 server in 27-character chunks.[10] |
| G1014 | LuminousMoth |
LuminousMoth has split archived files into multiple parts to bypass a 5MB limit.[11] |
| S1141 | LunarWeb |
LunarWeb can split exfiltrated data that exceeds 1.33 MB in size into multiple random sized parts between 384 and 512 KB.[12] |
| S0699 | Mythic |
Mythic supports custom chunk sizes used to upload/download files.[13] |
| S0644 | ObliqueRAT |
ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration.[14] |
| S0264 | OopsIE |
OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.[15] |
| G1040 | Play |
Play has split victims' files into chunks for exfiltration.[16][17] |
| S0150 | POSHSPY | |
| S1040 | Rclone |
The Rclone "chunker" overlay supports splitting large files in smaller chunks during upload to circumvent size limits.[19][4] |
| S0495 | RDAT |
RDAT can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. RDAT can also download data from the C2 which is split into 81,920-byte portions.[20] |
| S1200 | StealBit |
StealBit can be configured to exfiltrate files at a specified rate to evade network detection mechanisms.[21] |
| G0027 | Threat Group-3390 |
Threat Group-3390 actors have split RAR files for exfiltration into parts.[22] |
| ID | Mitigation | Description |
|---|---|---|
| M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0213 | Detection Strategy for Data Transfer Size Limits and Chunked Exfiltration | AN0596 |
Adversary uses a process to establish outbound connections that transmit uniform packet sizes at a consistent interval, avoiding threshold-based network alerts. |
| AN0597 |
Outbound connections from non-network-facing processes repeatedly send similarly sized payloads within uniform time intervals. |
||
| AN0598 |
Processes on macOS initiate external connections that consistently transmit data in fixed sizes using LaunchAgents or unexpected users. |