1. Home
  2. Techniques
  3. Enterprise
  4. Data Transfer Size Limits

Data Transfer Size Limits

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

ID: T1030
Sub-techniques:  No sub-techniques
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Requires Network:  Yes
Version: 1.0
Created: 31 May 2017
Last Modified: 14 July 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
G0007 APT28

APT28 has split archived exfiltration files into chunks smaller than 1MB.[1]
S0030 Carbanak

Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .[2]
S0154 Cobalt Strike

Cobalt Strike will break large data sets into smaller chunks for exfiltration.[3]
S0170 Helminth

Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.[4]
S0487 Kessel

Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.[5]
S0644 ObliqueRAT

ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration.[6]
S0264 OopsIE

OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.[7]
S0150 POSHSPY

POSHSPY uploads data in 2048-byte chunks.[8]
S0495 RDAT

RDAT can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. RDAT can also download data from the C2 which is split into 81,920-byte portions.[9]

G0027 Threat Group-3390

Threat Group-3390 actors have split RAR files for exfiltration into parts.[10]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level.

Detection

ID Data Source Data Component
DS0029 Network Traffic Network Connection Creation
Network Traffic Flow

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [11]

References

  1. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  2. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  3. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  4. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  5. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  6. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  1. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  2. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  3. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  4. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  5. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.