T1030: Data Transfer Size Limits

View on MITRE ATT&CK	T1030
Tactic(s)	Exfiltration

Data from MITRE ATT&CK®:

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Mitigations for this technique

MITRE ATT&CK Mitigations

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

How to detect this technique

MITRE ATT&CK Data Components

Network Traffic Flow (Network Traffic)

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Network Connection Creation (Network Traffic)

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Control Validation Tests for this Technique

Use Atomic Red Team tests to test your defenses against this technique.

Data Transfer Size Limits

macos linux

Network-Based Data Transfer in Small Chunks

windows

Sigma Detections for this Technique

Split A File Into Pieces

macos process creation

Split A File Into Pieces - Linux

linux

SP800-53 Controls

See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.

Node
SI-3: Malicious Code Protection
CM-2: Baseline Configuration
AC-4: Information Flow Enforcement
CA-7: Continuous Monitoring
SI-4: System Monitoring
CM-6: Configuration Settings
SC-7: Boundary Protection