Update T1030.yaml Network-Based Data Transfer in Small Chunks

[prashanthpulisetti]

Atomic Test # - T1030 - Data Transfer Size Limits: Network-Based Data Transfer in Small Chunks

Objective

Simulate the technique of transferring data over a network in small chunks to evade size-based detection mechanisms.

Description

This test involves transferring data over a network (either to a controlled external endpoint like example.com) in small, segmented sizes. This simulates an adversary's behavior in conducting stealthy data exfiltration.

Details:
This atomic test is part of the T1030 category, focusing on data transfer size limits. The specific objective of this test is to demonstrate how an adversary might split a larger data file into smaller chunks for exfiltration, thereby evading detection mechanisms that are typically triggered by large data transfers. The test uses a PowerShell script to split a specified file into chunks and then simulate their transfer over the network to a designated URL. This approach helps in understanding and improving the detection mechanisms for fragmented data exfiltration.

Testing:
The test was initially developed and tested in a controlled Windows environment. The PowerShell script was executed with different file sizes and chunk sizes to ensure its effectiveness and reliability. The test was also integrated into a local automated testing framework, which confirmed its compatibility across different Windows versions and network configurations. Observations from the test were used to refine the detection strategies, particularly focusing on network traffic analysis and monitoring of small, frequent data transfers.

Associated Issues:
Currently, there are no known issues associated with this atomic test. It is a new addition to the atomic tests for T1030 - Data Transfer Size Limits and has been created to enhance the detection capabilities for stealthy data exfiltration techniques. Any future issues or improvements identified will be addressed in subsequent updates to the test.

[prashanthpulisetti]

Hi @clr2of8, I'm seeing the following error:

File "/home/runner/.cache/pypoetry/virtualenvs/atomic-red-team-raX-clyF-py3.11/lib/python3.11/site-packages/ruamel/yaml/constructor.py", line 276, in check_mapping_key
    raise DuplicateKeyError(*args)
ruamel.yaml.constructor.DuplicateKeyError: while constructing a mapping
  in "./atomics/T1033/T1033.yaml", line 109, column 3
found duplicate key "auto_generated_guid" with value "35b88076-7edb-4eb5-bdc5-11ede7f45c6a" (original value: "ba38e193-37a6-4c[41](https://github.com/redcanaryco/atomic-red-team/actions/runs/7592526149/job/20681960232?pr=2658#step:6:42)-b214-61b33277fe36")
  in "./atomics/T1033/T1033.yaml", line 114, column 3

can you help me in resolving this?

Thanks,

[clr2of8]

Which execution framework are you using to try to run the atomic? Invoke-AtomicRedTeam? My first suggestion is to move the auto_generated_guid right after the name key

[prashanthpulisetti]

Which execution framework are you using to try to run the atomic? Invoke-AtomicRedTeam? My first suggestion is to move the auto_generated_guid right after the name key

Thank you @clr2of8 ! it worked!