Description
An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
Platforms
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level.
Threat Groups (5)
| ID | Group | Context |
|---|---|---|
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) has split victims' files into chunks for exfiltration.(Citation: CISA Play Ransomware Advisory December ... |
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has split archived files into multiple parts to bypass a 5MB limit.(Citation: Bitdefender Lumino... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors have split RAR files for exfiltration into parts.(Citation: Dell TG-3390) |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has split archived exfiltration files into chunks smaller than 1MB.(Citation: Cybersecurity Advisory GR... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection.(Citat... |
Associated Software (14)
| ID | Name | Type | Context |
|---|---|---|---|
| S0264 | OopsIE | Malware | [OopsIE](https://attack.mitre.org/software/S0264) exfiltrates command output and collected files to its C2 server in 1500-byte blocks.(Citation: Unit ... |
| S0150 | POSHSPY | Malware | [POSHSPY](https://attack.mitre.org/software/S0150) uploads data in 2048-byte chunks.(Citation: FireEye POSHSPY April 2017) |
| S0487 | Kessel | Malware | [Kessel](https://attack.mitre.org/software/S0487) can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.(Citatio... |
| S1020 | Kevin | Malware | [Kevin](https://attack.mitre.org/software/S1020) can exfiltrate data to the C2 server in 27-character chunks.(Citation: Kaspersky Lyceum October 2021) |
| S0644 | ObliqueRAT | Malware | [ObliqueRAT](https://attack.mitre.org/software/S0644) can break large files of interest into smaller chunks to prepare them for exfiltration.(Citation... |
| S1200 | StealBit | Malware | [StealBit](https://attack.mitre.org/software/S1200) can be configured to exfiltrate files at a specified rate to evade network detection mechanisms.(C... |
| S0622 | AppleSeed | Malware | [AppleSeed](https://attack.mitre.org/software/S0622) has divided files if the size is 0x1000000 bytes or more.(Citation: KISA Operation Muzabi) |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) will break large data sets into smaller chunks for exfiltration.(Citation: cobaltstrike manua... |
| S0495 | RDAT | Malware | [RDAT](https://attack.mitre.org/software/S0495) can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. [RDAT](https://at... |
| S0699 | Mythic | Tool | [Mythic](https://attack.mitre.org/software/S0699) supports custom chunk sizes used to upload/download files.(Citation: Mythc Documentation) |
| S1040 | Rclone | Tool | The [Rclone](https://attack.mitre.org/software/S1040) "chunker" overlay supports splitting large files in smaller chunks during upload to circumvent s... |
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can split exfiltrated data that exceeds 1.33 MB in size into multiple random sized parts between 3... |
| S0030 | Carbanak | Malware | [Carbanak](https://attack.mitre.org/software/S0030) exfiltrates data in compressed chunks if a message is larger than 4096 bytes .(Citation: FireEye C... |
| S0170 | Helminth | Malware | [Helminth](https://attack.mitre.org/software/S0170) splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.(Citatio... |
References
Frequently Asked Questions
What is T1030 (Data Transfer Size Limits)?
T1030 is a MITRE ATT&CK technique named 'Data Transfer Size Limits'. It belongs to the Exfiltration tactic(s). An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer thresho...
How can T1030 be detected?
Detection of T1030 (Data Transfer Size Limits) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1030?
There are 1 documented mitigations for T1030. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1030?
Known threat groups using T1030 include: Play, LuminousMoth, Threat Group-3390, APT28, APT41.