DET0213 Detection Strategy for Data Transfer Size Limits and Chunked Exfiltration
| Item |
Value |
| ID |
DET0213 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1030 (Data Transfer Size Limits)
Analytics
Windows
AN0596
Adversary uses a process to establish outbound connections that transmit uniform packet sizes at a consistent interval, avoiding threshold-based network alerts.
Log Sources
Mutable Elements
| Field |
Description |
| PacketSizeThreshold |
Minimum repetitive size in bytes to consider as anomalous behavior (e.g., 512B or 1024B) |
| IntervalRepeatWindow |
Timeframe over which repeated, evenly spaced transfers are flagged |
| KnownServicePorts |
Common ports expected to exhibit protocol behavior; outliers flagged if not matching expected usage |
Linux
AN0597
Outbound connections from non-network-facing processes repeatedly send similarly sized payloads within uniform time intervals.
Log Sources
Mutable Elements
| Field |
Description |
| ProcessNetworkBaseline |
Whitelist of typical binaries expected to generate outbound connections (e.g., wget, curl) |
| PayloadLengthVariance |
Deviation threshold to consider data ‘fixed size’ (e.g., ±5% size delta) |
| RepeatFrequencyThreshold |
Number of observed transfers per minute/hour that signals anomalous repetition |
macOS
AN0598
Processes on macOS initiate external connections that consistently transmit data in fixed sizes using LaunchAgents or unexpected users.
Log Sources
Mutable Elements
| Field |
Description |
| LaunchdJobContext |
Agent context in which transfer occurs (e.g., user/privileged) |
| TransferSizeMedian |
Used to define what constitutes ‘fixed size’ chunks |
| TransferProtocolOutlier |
Detect if protocol usage deviates from common apps for given destination |