Esc
Data Transfer Size Limits - T1030

(ATT&CK® Technique)
Definition

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1030["Data Transfer Size Limits"] --> |produces| InternetNetworkTraffic["Internet Network Traffic"]; class T1030 OffensiveTechniqueNode;
        class InternetNetworkTraffic ArtifactNode; click InternetNetworkTraffic href "/dao/artifact/d3f:InternetNetworkTraffic";
        click T1030 href "/offensive-technique/attack/T1030/"; click InternetNetworkTraffic href "/dao/artifact/d3f:InternetNetworkTraffic";             NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | InternetNetworkTraffic["Internet Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1030["Data Transfer Size Limits"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";              Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1030["Data Transfer Size Limits"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1030["Data Transfer Size Limits"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1030["Data Transfer Size Limits"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1030["Data Transfer Size Limits"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";                     ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1030["Data Transfer Size Limits"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";                                  PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1030["Data Transfer Size Limits"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";  UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1030["Data Transfer Size Limits"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";
json