T1030 - Data Transfer Size Limits

Description from ATT&CK

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

Atomic Tests

Atomic Test #1 - Data Transfer Size Limits

Atomic Test #1 - Data Transfer Size Limits

Take a file/directory, split it into 5Mb chunks

Supported Platforms: macOS, Linux

Inputs:

Name	Description	Type	Default Value
folder_path	Path where the test creates artifacts	Path	/tmp/T1030
file_name	File name	Path	T1030_urandom

Attack Commands: Run with `sh`!

cd #{folder_path}; split -b 5000000 #{file_name}
ls -l #{folder_path}

Cleanup Commands:

if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;

Dependencies: Run with `sh`!

Description:

Check Prereq Commands:

if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi;

Get Prereq Commands:

if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi;      
dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

T1030.md

T1030.md

T1030 - Data Transfer Size Limits

Description from ATT&CK

Atomic Tests

Atomic Test #1 - Data Transfer Size Limits

Inputs:

Attack Commands: Run with `sh`!

Cleanup Commands:

Dependencies: Run with `sh`!

Description:

Check Prereq Commands:

Get Prereq Commands:

Files

T1030.md

Latest commit

History

T1030.md

File metadata and controls

T1030 - Data Transfer Size Limits

Description from ATT&CK

Atomic Tests

Atomic Test #1 - Data Transfer Size Limits

Inputs:

Attack Commands: Run with sh!

Cleanup Commands:

Dependencies: Run with sh!

Description:

Check Prereq Commands:

Get Prereq Commands:

Attack Commands: Run with `sh`!

Dependencies: Run with `sh`!