Keypoints
- Adversaries break data into fixed-size chunks to avoid triggering volume-based alerts.
- Look for asymmetric flows where a client sends far more data than it receives.
- Regular intervals of fixed-size packets can indicate staged aggregate transfers.
- Inspect processes that suddenly use the network or have no prior network history.
- Deep packet inspection and protocol validation help detect anomalous payloads on expected ports.
Description:
- Like smuggling sand one grain at a time through airport security to avoid a single large alarm, attackers send many small, regular packets to stealthily move data out.
- Attackers split files into fixed-size chunks or use small packets below alert thresholds. This enables stealthy exfiltration over long-lived or periodic connections, bypassing data-transfer volume alerts and making detection harder.
Detection:
- Monitor NetFlow/PCAP for asymmetric traffic where a host consistently sends much more bytes than it receives.
- Alert on long-lived connections that transmit fixed-size payloads repeatedly over time.
- Use DPI or protocol analyzers to validate payloads against expected protocol behavior on that port.
- Track process-to-network mappings and flag processes with no prior network activity initiating transfers.
- Correlate periodic small-packet patterns with endpoint logs and scheduled tasks to filter benign jobs.
- Instrument IDS/IPS and SIEM with rules for regular-interval, fixed-byte transfers; tune thresholds to reduce false positives.
- Capture sample traffic for forensic analysis and compare with known C2/exfiltration signatures; replay suspicious flows in a sandbox for confirmation.
Tactics:
Exfiltration
Platforms:
ESXi, Linux, Windows, macOS
Data Sources:
Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow
Relationship Citations:
(Citation: Rclone),(Citation: Bitdefender LuminousMoth July 2021),(Citation: Talos Oblique RAT March 2021),(Citation: Mythc Documentation),(Citation: Rostovcev APT41 2021),(Citation: FireEye POSHSPY April 2017),(Citation: DFIR Conti Bazar Nov 2021),(Citation: Unit 42 OopsIE! Feb 2018),(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021),(Citation: Kaspersky Lyceum October 2021),(Citation: Palo Alto OilRig May 2016),(Citation: Trend Micro Ransomware Spotlight Play July 2023),(Citation: cobaltstrike manual),(Citation: Dell TG-3390),(Citation: CISA Play Ransomware Advisory December 2023),(Citation: FireEye CARBANAK June 2017),(Citation: Mandiant Suspected Turla Campaign February 2023),(Citation: ESET ForSSHe December 2018),(Citation: Cybereason StealBit Exfiltration Tool),(Citation: Unit42 RDAT July 2020),(Citation: ESET Turla Lunar toolset May 2024),(Citation: KISA Operation Muzabi),
Read More: https://attack.mitre.org/techniques/T1030