Data Transfer Size Limits

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

ID: T1030
Sub-techniques:  No sub-techniques
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 31 May 2017
Last Modified: 14 July 2020

Procedure Examples

ID Name Description
S0622 AppleSeed

AppleSeed has divided files if the size is 0x1000000 bytes or more.[1]

G0007 APT28

APT28 has split archived exfiltration files into chunks smaller than 1MB.[2]

C0015 C0015

During C0015, the threat actors limited Rclone's bandwidth setting during exfiltration.[3]

C0026 C0026

During C0026, the threat actors split encrypted archives containing stolen files and information into 3MB parts prior to exfiltration.[4]

S0030 Carbanak

Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .[5]

S0154 Cobalt Strike

Cobalt Strike will break large data sets into smaller chunks for exfiltration.[6]

S0170 Helminth

Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.[7]

S0487 Kessel

Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.[8]

S1020 Kevin

Kevin can exfiltrate data to the C2 server in 27-character chunks.[9]

G1014 LuminousMoth

LuminousMoth has split archived files into multiple parts to bypass a 5MB limit.[10]

S0699 Mythic

Mythic supports custom chunk sizes used to upload/download files.[11]

S0644 ObliqueRAT

ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration.[12]

S0264 OopsIE

OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.[13]

S0150 POSHSPY

POSHSPY uploads data in 2048-byte chunks.[14]

S1040 Rclone

The Rclone "chunker" overlay supports splitting large files in smaller chunks during upload to circumvent size limits.[15][3]

S0495 RDAT

RDAT can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. RDAT can also download data from the C2 which is split into 81,920-byte portions.[16]

G0027 Threat Group-3390

Threat Group-3390 actors have split RAR files for exfiltration into parts.[17]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows (e.g. unusual network communications or suspicious communications sending fixed size data packets at regular intervals as well as unusually long connection patterns). Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, protocol port mismatch, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated

Network Traffic Flow

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

References