Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Ограничение размера передаваемых данных

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

ID: T1030
Тактика(-и): Exfiltration
Платформы: Linux, macOS, Windows
Источники данных: Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow
Версия: 1.0
Дата создания: 31 May 2017
Последнее изменение: 14 Jul 2020

Примеры процедур

Название Описание
Play

Play has split victims' files into chunks for exfiltration.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)

LuminousMoth

LuminousMoth has split archived files into multiple parts to bypass a 5MB limit.(Citation: Bitdefender LuminousMoth July 2021)

Threat Group-3390

Threat Group-3390 actors have split RAR files for exfiltration into parts.(Citation: Dell TG-3390)

OopsIE

OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.(Citation: Unit 42 OopsIE! Feb 2018)

POSHSPY

POSHSPY uploads data in 2048-byte chunks.(Citation: FireEye POSHSPY April 2017)

During C0026, the threat actors split encrypted archives containing stolen files and information into 3MB parts prior to exfiltration.(Citation: Mandiant Suspected Turla Campaign February 2023)

Kessel

Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.(Citation: ESET ForSSHe December 2018)

Kevin

Kevin can exfiltrate data to the C2 server in 27-character chunks.(Citation: Kaspersky Lyceum October 2021)

ObliqueRAT

ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration.(Citation: Talos Oblique RAT March 2021)

AppleSeed

AppleSeed has divided files if the size is 0x1000000 bytes or more.(Citation: KISA Operation Muzabi)

Cobalt Strike

Cobalt Strike will break large data sets into smaller chunks for exfiltration.(Citation: cobaltstrike manual)

RDAT

RDAT can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. RDAT can also download data from the C2 which is split into 81,920-byte portions.(Citation: Unit42 RDAT July 2020)

Mythic

Mythic supports custom chunk sizes used to upload/download files.(Citation: Mythc Documentation)

Rclone

The Rclone "chunker" overlay supports splitting large files in smaller chunks during upload to circumvent size limits.(Citation: Rclone)(Citation: DFIR Conti Bazar Nov 2021)

APT28

APT28 has split archived exfiltration files into chunks smaller than 1MB.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

During C0015, the threat actors limited Rclone's bandwidth setting during exfiltration.(Citation: DFIR Conti Bazar Nov 2021)

LunarWeb

LunarWeb can split exfiltrated data that exceeds 1.33 MB in size into multiple random sized parts between 384 and 512 KB.(Citation: ESET Turla Lunar toolset May 2024)

APT41

APT41 transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection.(Citation: Rostovcev APT41 2021)

Carbanak

Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .(Citation: FireEye CARBANAK June 2017)

Helminth

Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.(Citation: Palo Alto OilRig May 2016)

Контрмеры

Контрмера Описание
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Data Transfer Size Limits Mitigation

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Обнаружение

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

Ссылки

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  2. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  3. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  4. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  5. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  6. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  7. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  8. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  9. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  10. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  11. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  12. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  13. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  14. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  15. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
  16. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
  17. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  18. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  19. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  20. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  21. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  22. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.