# T1030 Data Transfer Size Limits

-----------------------------------------------------------------------

## Technique Description

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

## Technique Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Exfiltration

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Network Traffic:** Network Connection Creation

  * **Network Traffic:** Network Traffic Flow

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors have split RAR files for exfiltration into parts.(Citation: Dell TG-3390)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has split archived exfiltration files into chunks smaller than 1MB.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1030)

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will exfiltrate data in fixed size chunks.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT29 | 1 | |

#### APT29	
- POSHSPY (backdoor that has been used by APT29 since at least 2015) uploads data in 2048-byte chunks.

## Detection Blindspots

- Information Here

## Analytical References

  * [Atomic Red Team T1030 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md)
  * [Dissecting One OFAP 2017 (fireeye)](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).
- If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer.
- Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
- Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

#### Analytic 1

  * **Information:** 4104: Scriptblock logging events (APT29)

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** Check message for functions that split data up.
      - As an example:
      - POSHSPY has previously used a function called "uploadDataAuth" and had set variable `$chunks to [Math]::Floor($dataDexStr,Length / 2048) + 1`4104: Scriptblock logging events
      - While it is unlikely you will see the same function/variable, look at the behavior.

  * **Query:** ```event.code : 4104```

#### Analytic 2

  * **Information:** Network related event codes

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Identification of fixed size chunks may be identified by contextual behavior
      - 5156: The Windows Filtering Platform has allowed a connection

      - 4688: A new process has been created

      - 3: Network connection

  * **Query:** ```event.code : 5156 or 3 or 4688```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).
- If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer.
- Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
- Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

