T1030

Data Transfer Size Limits

Adversaries may exfiltrate data in fixed size chunks instead of whole files, or limit packet sizes below certain thresholds, to avoid triggering network data transfer threshold alerts. Techniques include splitting archives into equal-sized volumes (e.g., 7-Zip -v flag, RAR split volumes), using tools like Rclone with chunker overlay, scripting custom byte-range reads, or configuring C2 implants with fixed send-buffer sizes. Real-world actors including APT28, LuminousMoth, Threat Group-3390, Play ransomware, and malware families like Cobalt Strike, POSHSPY, OopsIE, and StealBit all employ this technique. Detection pivots to file-system artifacts (sequentially numbered archive parts), process command-line analysis (volume-size flags on compression utilities), and network behavioral analysis (repeated uniform-size connections to the same external host).

Microsoft Sentinel / Defender

kusto

// T1030 — Data Transfer Size Limits
// Part 1: Process creation — compression/transfer tools with volume/chunk-size flags
let SplittingTools = dynamic(["7z.exe","7za.exe","7zr.exe","rar.exe","winrar.exe","rclone.exe","split"]);
let VolumeFlagPatterns = dynamic([
  " -v", "/v", "-volume", "--max-size", "--chunk-size",
  "chunker", "split -b", "split -n", "--bytes",
  "-v10m","-v50m","-v100m","-v500m","-v1g","-v1024"
]);
let ChunkResults =
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName in~ (SplittingTools)
      or (FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","bash","sh") and ProcessCommandLine has_any (VolumeFlagPatterns))
  | where ProcessCommandLine has_any (VolumeFlagPatterns)
  | extend SignalType = case(
      FileName =~ "rclone.exe" and ProcessCommandLine has "chunker", "RcloneChunker",
      FileName =~ "rclone.exe" and ProcessCommandLine has "--max-size", "RcloneMaxSize",
      FileName in~ ("7z.exe","7za.exe","7zr.exe") and ProcessCommandLine has_any ("-v","/v"), "SevenZipVolume",
      FileName in~ ("rar.exe","winrar.exe") and ProcessCommandLine has_any ("-v","/v"), "RarVolume",
      ProcessCommandLine has_any ("split -b","split -n","--bytes"), "UnixSplit",
      "GenericChunkFlag"
    )
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
           InitiatingProcessFileName, InitiatingProcessCommandLine, SignalType;
// Part 2: File creation — sequentially numbered archive chunk files appearing in bursts
let ChunkFileResults =
  DeviceFileEvents
  | where Timestamp > ago(24h)
  | where ActionType == "FileCreated"
  | where FileName matches regex @"(?i)\.(00[1-9]|0[1-9][0-9]|[0-9]{3})$"
      or FileName matches regex @"(?i)\.(7z|zip|rar|tar|gz|bz2)\.[0-9]{1,3}$"
      or FileName matches regex @"(?i)\.part[0-9]{1,4}$"
      or FileName matches regex @"(?i)\.r[0-9]{2}$"
  | summarize
      ChunkCount = count(),
      FirstSeen = min(Timestamp),
      LastSeen = max(Timestamp),
      SampleFiles = make_set(FileName, 10),
      FolderPaths = make_set(FolderPath, 5)
    by DeviceName, AccountName, InitiatingProcessFileName, bin(Timestamp, 10m)
  | where ChunkCount >= 3
  | extend SignalType = "SequentialChunkFilesCreated"
  | project
      Timestamp = FirstSeen, DeviceName, AccountName,
      FileName = tostring(SampleFiles),
      ProcessCommandLine = strcat("ChunkCount=", ChunkCount, " Folder=", tostring(FolderPaths)),
      InitiatingProcessFileName,
      InitiatingProcessCommandLine = "",
      SignalType;
union ChunkResults, ChunkFileResults
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate backup software (Veeam, Backup Exec, Acronis) that splits archive volumes by size for storage media compatibility
IT administrators manually splitting large log archives or database exports for transfer to off-site storage or ticketing systems
Cloud sync tools (Rclone, rsync wrappers) configured by ops teams to use chunk uploads to cloud storage (S3, GCS, Azure Blob) for large dataset transfers
Software release pipelines splitting large installation packages into volumes for distribution via CD/DVD-size constraints
Developers using split/7z for legitimate data migration tasks, especially around quarter-end when large data sets are archived

Splunk

spl

| union
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   (Image="*\\7z.exe" OR Image="*\\7za.exe" OR Image="*\\7zr.exe"
    OR Image="*\\rar.exe" OR Image="*\\WinRAR.exe" OR Image="*\\rclone.exe")
   (
     CommandLine="* -v*" OR CommandLine="* /v*" OR CommandLine="*-volume*"
     OR CommandLine="*--max-size*" OR CommandLine="*--chunk-size*"
     OR CommandLine="*chunker*"
   )
  | eval SignalType=case(
      match(Image,"(?i)rclone") AND match(CommandLine,"chunker"),         "RcloneChunker",
      match(Image,"(?i)rclone") AND match(CommandLine,"--max-size"),       "RcloneMaxSize",
      match(Image,"(?i)(7z|7za|7zr)") AND match(CommandLine,"\s(-v|/v)"), "SevenZipVolume",
      match(Image,"(?i)(rar|winrar)") AND match(CommandLine,"\s(-v|/v)"), "RarVolume",
      1=1, "GenericChunkFlag"
    )
  | eval DetectionSource="ProcessCreation"
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SignalType, DetectionSource]
[search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (TargetFilename="*.001" OR TargetFilename="*.002" OR TargetFilename="*.003"
   OR TargetFilename="*.part1" OR TargetFilename="*.part2" OR TargetFilename="*.r00"
   OR TargetFilename="*.r01" OR TargetFilename="*.7z.001" OR TargetFilename="*.zip.001"
   OR TargetFilename="*.rar.001")
| eval SignalType="SequentialChunkFile"
| eval DetectionSource="FileCreation"
| stats count as ChunkFileCount, values(TargetFilename) as ChunkFiles, earliest(_time) as FirstSeen, latest(_time) as LastSeen
    by host, User, Image, SignalType, DetectionSource
| where ChunkFileCount >= 3
| eval _time=FirstSeen
| table _time, host, User, Image, ChunkFiles, ChunkFileCount, SignalType, DetectionSource]
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate backup software splitting archives for storage media or cloud upload size limits
IT administrator-initiated data migrations involving large split archives
Rclone configured by ops teams for cloud storage with chunk uploads enabled
Software distribution pipelines creating split installation packages
Developers using 7-Zip or split for authorized large dataset archiving

Elastic Security (EQL)

eql

sequence by host.id with maxspan=10m
  [process where event.type == "start"
    and (
      process.name in~ ("7z", "7za", "7zr", "7z.exe", "7za.exe", "7zr.exe", "rar", "rar.exe", "winrar.exe", "rclone", "rclone.exe")
      or (
        process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh")
        and process.args : ("*-v*", "*--max-size*", "*--chunk-size*", "*chunker*", "*split -b*", "*split -n*", "*--bytes*")
      )
    )
    and process.command_line : ("* -v*", "* /v*", "*-volume*", "*--max-size*", "*--chunk-size*", "*chunker*", "*split -b*", "*split -n*", "*--bytes*", "*-v10m*", "*-v50m*", "*-v100m*", "*-v500m*", "*-v1g*")
  ] by process.entity_id

any where (
  (
    event.category == "process" and event.type == "start"
    and process.name in~ ("7z.exe", "7za.exe", "7zr.exe", "rar.exe", "winrar.exe", "rclone.exe", "7z", "7za", "rclone", "rar")
    and process.command_line : ("* -v*", "* /v*", "*--max-size*", "*--chunk-size*", "*chunker*", "*split -b*", "*split -n*", "*--bytes*")
  )
  or
  (
    event.category == "file" and event.type == "creation"
    and (
      file.name : ("*.001", "*.002", "*.003", "*.004", "*.005",
                   "*.part1", "*.part2", "*.part3",
                   "*.r00", "*.r01", "*.r02",
                   "*.7z.001", "*.zip.001", "*.rar.001",
                   "*.tar.001", "*.gz.001")
    )
  )
)

medium severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent (endpoint integration) Auditbeat Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-system.security-* .ds-logs-endpoint*

False Positives

Legitimate IT backup operations using 7-Zip or Rclone with volume splitting to fit archives onto removable media or comply with cloud storage upload limits
Software deployment pipelines or CI/CD systems that package large artifacts into split archives for distribution across constrained storage tiers
System administrators using rclone with --max-size or chunker for authorized cloud migration or data tiering tasks documented in change management
Developer workflows splitting large dataset files into chunks for parallel processing or upload to object storage (S3, GCS, Azure Blob)
Antivirus or endpoint detection products quarantining files using numbered chunk naming conventions that match .001/.002 patterns

IBM QRadar (AQL)

sql

-- Part 1: Process creation with volume/chunk splitting flags
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "sourceip" AS HostIP,
  username,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  CASE
    WHEN LOWER("Process Name") LIKE '%rclone%' AND "Command" LIKE '%chunker%' THEN 'RcloneChunker'
    WHEN LOWER("Process Name") LIKE '%rclone%' AND "Command" LIKE '%--max-size%' THEN 'RcloneMaxSize'
    WHEN (LOWER("Process Name") LIKE '%7z%' OR LOWER("Process Name") LIKE '%7za%' OR LOWER("Process Name") LIKE '%7zr%')
         AND ("Command" LIKE '% -v%' OR "Command" LIKE '% /v%') THEN 'SevenZipVolume'
    WHEN (LOWER("Process Name") LIKE '%rar%' OR LOWER("Process Name") LIKE '%winrar%')
         AND ("Command" LIKE '% -v%' OR "Command" LIKE '% /v%') THEN 'RarVolume'
    WHEN "Command" LIKE '%split -b%' OR "Command" LIKE '%split -n%' OR "Command" LIKE '%--%bytes%' THEN 'UnixSplit'
    ELSE 'GenericChunkFlag'
  END AS SignalType,
  'ProcessCreation' AS DetectionSource
FROM events
WHERE devicetime > NOW() - 86400000
  AND LOGSOURCETYPEID(logsourceid) IN (12, 13, 352, 396)
  AND QIDNAME(qid) IN ('Process Creation', 'Windows Sysmon Process Created')
  AND (
    LOWER("Process Name") LIKE '%7z.exe' OR LOWER("Process Name") LIKE '%7za.exe'
    OR LOWER("Process Name") LIKE '%7zr.exe' OR LOWER("Process Name") LIKE '%rar.exe'
    OR LOWER("Process Name") LIKE '%winrar.exe' OR LOWER("Process Name") LIKE '%rclone.exe'
    OR LOWER("Process Name") LIKE '%/7z' OR LOWER("Process Name") LIKE '%/rclone'
  )
  AND (
    "Command" LIKE '% -v%' OR "Command" LIKE '% /v%'
    OR "Command" LIKE '%--max-size%' OR "Command" LIKE '%--chunk-size%'
    OR "Command" LIKE '%chunker%' OR "Command" LIKE '%split -b%'
    OR "Command" LIKE '%split -n%' OR "Command" LIKE '%--bytes%'
    OR "Command" LIKE '%-v10m%' OR "Command" LIKE '%-v50m%'
    OR "Command" LIKE '%-v100m%' OR "Command" LIKE '%-v500m%'
    OR "Command" LIKE '%-v1g%'
  )
UNION ALL
-- Part 2: File creation events matching sequential chunk naming
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "sourceip" AS HostIP,
  username,
  "Process Name" AS ProcessName,
  "Target File Name" AS CommandLine,
  NULL AS ParentProcess,
  'SequentialChunkFile' AS SignalType,
  'FileCreation' AS DetectionSource
FROM events
WHERE devicetime > NOW() - 86400000
  AND LOGSOURCETYPEID(logsourceid) IN (12, 13, 352, 396)
  AND QIDNAME(qid) IN ('File Created', 'Windows Sysmon File Created')
  AND (
    "Target File Name" LIKE '%.001' OR "Target File Name" LIKE '%.002'
    OR "Target File Name" LIKE '%.003' OR "Target File Name" LIKE '%.004'
    OR "Target File Name" LIKE '%.part1' OR "Target File Name" LIKE '%.part2'
    OR "Target File Name" LIKE '%.part3' OR "Target File Name" LIKE '%.r00'
    OR "Target File Name" LIKE '%.r01' OR "Target File Name" LIKE '%.7z.001'
    OR "Target File Name" LIKE '%.zip.001' OR "Target File Name" LIKE '%.rar.001'
    OR "Target File Name" LIKE '%.tar.001'
  )
ORDER BY EventTime DESC

medium severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log (via QRadar DSM) Sysmon via QRadar Windows Sysmon DSM Linux Audit via QRadar Linux OS DSM

Required Tables

events

False Positives

Backup software (Veeam, Acronis, Windows Server Backup) creating split volume archives with sequential numbering as part of scheduled backup jobs
Authorized rclone usage by cloud operations teams performing scheduled data synchronization with max-size constraints to avoid API throttling
Software distribution systems splitting large installer packages into multi-volume archives for network delivery to endpoints with limited bandwidth
Database export jobs that produce sequentially numbered output files as a natural artifact of parallel export tooling
Media encoding pipelines generating segment files with numeric suffixes that superficially match archive chunk patterns (e.g., HLS .ts segments)

Sumo Logic CSE

sql

// Part 1: Process creation — compression/transfer tools with chunk/volume flags
(_sourceCategory=*windows* OR _sourceCategory=*endpoint* OR _sourceCategory=*sysmon*)
| where EventID = "1" or EventCode = "1"
| parse field=CommandLine "*" as cmd_full nodrop
| where (
    (
      Image matches "*\\7z.exe" or Image matches "*\\7za.exe" or Image matches "*\\7zr.exe"
      or Image matches "*\\rar.exe" or Image matches "*\\WinRAR.exe" or Image matches "*\\rclone.exe"
      or Image matches "*/7z" or Image matches "*/rclone"
    )
    and (
      CommandLine matches "* -v*" or CommandLine matches "* /v*"
      or CommandLine matches "*--max-size*" or CommandLine matches "*--chunk-size*"
      or CommandLine matches "*chunker*" or CommandLine matches "*split -b*"
      or CommandLine matches "*split -n*" or CommandLine matches "*--bytes*"
      or CommandLine matches "*-v10m*" or CommandLine matches "*-v50m*"
      or CommandLine matches "*-v100m*" or CommandLine matches "*-v500m*"
      or CommandLine matches "*-v1g*"
    )
  )
| if (Image matches "*rclone*" and CommandLine matches "*chunker*", "RcloneChunker",
     if (Image matches "*rclone*" and CommandLine matches "*--max-size*", "RcloneMaxSize",
         if ((Image matches "*7z*") and (CommandLine matches "* -v*" or CommandLine matches "* /v*"), "SevenZipVolume",
             if ((Image matches "*rar*" or Image matches "*winrar*") and (CommandLine matches "* -v*" or CommandLine matches "* /v*"), "RarVolume",
                 if (CommandLine matches "*split -b*" or CommandLine matches "*split -n*" or CommandLine matches "*--bytes*", "UnixSplit",
                     "GenericChunkFlag"))))) as SignalType
| eval DetectionSource = "ProcessCreation"
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, SignalType, DetectionSource

// Part 2 — run as separate query, then correlate:
// (_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
// | where EventID = "11" or EventCode = "11"
// | where TargetFilename matches "*.001" or TargetFilename matches "*.002"
//     or TargetFilename matches "*.003" or TargetFilename matches "*.part1"
//     or TargetFilename matches "*.part2" or TargetFilename matches "*.r00"
//     or TargetFilename matches "*.r01" or TargetFilename matches "*.7z.001"
//     or TargetFilename matches "*.zip.001" or TargetFilename matches "*.rar.001"
// | timeslice 10m
// | stats count as ChunkFileCount, values(TargetFilename) as ChunkFiles,
//         first(Computer) as Host, first(User) as User, first(Image) as Process
//   by _timeslice, Host
// | where ChunkFileCount >= 3
// | eval SignalType = "SequentialChunkFilesCreated"
// | eval DetectionSource = "FileCreation"
// | fields _timeslice, Host, User, Process, ChunkFiles, ChunkFileCount, SignalType, DetectionSource

medium severity high confidence

Data Sources

Sumo Logic Continuous Intelligence Platform Windows Event Log via Sumo Logic Installed Collector Sysmon logs via Sumo Logic Installed Collector Sumo Logic Cloud SIEM Enterprise (CSE) with Windows normalized schema

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*endpoint*

False Positives

Routine IT backup jobs using WinRAR or 7-Zip with multi-volume flags to create archives sized for optical media, USB drives, or email attachment limits
DevOps tooling (Rclone in cloud sync pipelines) configured with --max-size or chunker overlay to work within cloud provider upload constraints
Pentest or red team engagements with authorized scope that include data staging using standard split-archive utilities
Software build systems generating split distributables or patch packages with sequential volume numbering for enterprise software distribution

Google Chronicle / SecOps

yaral

rule t1030_data_transfer_size_limits {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1030 Data Transfer Size Limits — compression/transfer tools invoked with volume splitting or chunk-size flags, and sequential chunk archive file creation. Covers 7-Zip, RAR/WinRAR, Rclone, and Unix split."
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1030"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1030/"
    severity = "MEDIUM"
    priority = "MEDIUM"
    version = "1.0"
    created = "2026-04-16"
    platforms = "Windows, Linux"

  events:
    // Signal 1: Process creation with chunk/volume flags on known tools
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.hostname = $hostname
    (
      re.regex($proc.target.process.file.full_path, `(?i)(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|rclone\.exe|/7z$|/7za$|/rclone$|/rar$)`) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|bash|/sh$)`) and
        re.regex($proc.target.process.command_line, `(?i)(\s-v\s|\s/v\s|--max-size|--chunk-size|chunker|split\s-b|split\s-n|--bytes|-v[0-9]+[kmg])`)
      )
    )
    re.regex($proc.target.process.command_line, `(?i)(\s-v[\s0-9]|\s/v[\s0-9]|\s-v[0-9]|--max-size|--chunk-size|chunker|split\s-b|split\s-n|--bytes|-v10m|-v50m|-v100m|-v500m|-v1g|-v1024)`)

  match:
    $hostname over 10m

  outcome:
    $risk_score = max(
      if($proc.target.process.file.full_path = "/rclone/" and re.regex($proc.target.process.command_line, "chunker"), 85,
         if($proc.target.process.file.full_path = "/rclone/" and re.regex($proc.target.process.command_line, "--max-size"), 80,
            if(re.regex($proc.target.process.file.full_path, `(?i)(7z|7za|7zr)\.exe`) and re.regex($proc.target.process.command_line, `(\s-v|\s/v)`), 75,
               if(re.regex($proc.target.process.file.full_path, `(?i)(rar|winrar)\.exe`) and re.regex($proc.target.process.command_line, `(\s-v|\s/v)`), 75,
                  65)
            )
         )
      )
    )
    $signal_type = if(
      re.regex($proc.target.process.file.full_path, `(?i)rclone`) and re.regex($proc.target.process.command_line, `chunker`), "RcloneChunker",
      if(re.regex($proc.target.process.file.full_path, `(?i)rclone`) and re.regex($proc.target.process.command_line, `--max-size`), "RcloneMaxSize",
         if(re.regex($proc.target.process.file.full_path, `(?i)(7z|7za|7zr)\.exe`) and re.regex($proc.target.process.command_line, `(\s-v|\s/v)`), "SevenZipVolume",
            if(re.regex($proc.target.process.file.full_path, `(?i)(rar|winrar)\.exe`) and re.regex($proc.target.process.command_line, `(\s-v|\s/v)`), "RarVolume",
               if(re.regex($proc.target.process.command_line, `split\s-[bn]|--bytes`), "UnixSplit",
                  "GenericChunkFlag"))))
    )

  condition:
    $proc
}

rule t1030_sequential_chunk_files {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1030 Data Transfer Size Limits — 3 or more sequentially numbered archive chunk files created on the same host within 10 minutes, indicating active data chunking for exfiltration."
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1030"
    severity = "MEDIUM"
    priority = "MEDIUM"
    version = "1.0"
    created = "2026-04-16"

  events:
    $file.metadata.event_type = "FILE_CREATION"
    $file.principal.hostname = $hostname
    re.regex($file.target.file.full_path,
      `(?i)(\.(00[1-9]|0[1-9][0-9]|[0-9]{3})$|\.part[0-9]{1,4}$|\.r[0-9]{2}$|(7z|zip|rar|tar|gz|bz2)\.[0-9]{1,3}$)`
    )

  match:
    $hostname over 10m

  outcome:
    $risk_score = 70
    $chunk_count = count($file.target.file.full_path)
    $signal_type = "SequentialChunkFilesCreated"

  condition:
    #file >= 3
}

medium severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows Sysmon via Chronicle Forwarder Microsoft Defender for Endpoint via Chronicle ingestion CrowdStrike Falcon via Chronicle ingestion

Required Tables

UDM PROCESS_LAUNCH events UDM FILE_CREATION events

False Positives

Legitimate enterprise backup solutions (Veeam, Commvault, Backup Exec) generating split archives with sequential chunk naming as part of scheduled data protection jobs
Rclone usage by cloud platform engineers performing authorized migrations between cloud storage providers with size-limited chunker configurations
Software packaging automation in build pipelines creating multi-volume archives for artifact distribution, particularly for large binary releases
IT asset management tools or MDM platforms staging software packages in split volumes for distribution to endpoints over bandwidth-constrained links

CrowdStrike LogScale (CQL)

cql

// Part 1: Process creation — compression/transfer tools with volume/chunk flags
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|rclone\.exe|\/7z$|\/7za$|\/rclone$|\/rar$)/
| CommandLine = /(?i)(\s-v[\s0-9]|\s\/v[\s0-9]|--max-size|--chunk-size|chunker|split\s-[bn]|--bytes|-v10m|-v50m|-v100m|-v500m|-v1g|-v1024)/
| SignalType := case(
    CommandLine = /(?i)rclone/ AND CommandLine = /chunker/, "RcloneChunker",
    CommandLine = /(?i)rclone/ AND CommandLine = /--max-size/, "RcloneMaxSize",
    ImageFileName = /(?i)(7z|7za|7zr)\.exe/ AND CommandLine = /(\s-v|\s\/v)/, "SevenZipVolume",
    ImageFileName = /(?i)(rar|winrar)\.exe/ AND CommandLine = /(\s-v|\s\/v)/, "RarVolume",
    CommandLine = /split\s-[bn]|--bytes/, "UnixSplit",
    * , "GenericChunkFlag"
  )
| table([_timeutc, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, SignalType])

// ----

// Part 2: File write events — sequentially numbered archive chunk files
// Run as separate query
#event_simpleName=PeFileWritten OR #event_simpleName=ScriptFileWritten OR #event_simpleName=SuspiciousWrittenFile
| TargetFileName = /(?i)(\.(00[1-9]|0[1-9][0-9]|[0-9]{3})$|\.part[0-9]{1,4}$|\.r[0-9]{2}$|(7z|zip|rar|tar|gz|bz2)\.[0-9]{1,3}$)/
| groupBy([ComputerName, UserName, ParentBaseFileName], function=[
    count(as=ChunkFileCount),
    collect(TargetFileName, as=ChunkFiles, limit=10),
    min(_timeutc, as=FirstSeen),
    max(_timeutc, as=LastSeen)
  ])
| ChunkFileCount >= 3
| SignalType := "SequentialChunkFilesCreated"
| table([FirstSeen, ComputerName, UserName, ParentBaseFileName, ChunkFiles, ChunkFileCount, SignalType])
| sort(FirstSeen, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon LogScale (Humio) CrowdStrike Falcon Event Stream (FDR) CrowdStrike Falcon for IT Hygiene

Required Tables

ProcessRollup2 PeFileWritten ScriptFileWritten SuspiciousWrittenFile

False Positives

Legitimate administrator use of rclone for authorized cloud storage synchronization tasks with --max-size configured to comply with provider API rate limits
Endpoint backup agents using 7-Zip or WinRAR in volume-split mode to create archives within size thresholds for upload to backup destinations
IT provisioning or software deployment tools that create split package archives as part of documented software distribution workflows to managed endpoints
Security product installers or EDR update packages delivered in multi-part archive formats that match sequential chunk file naming conventions

Last updated: 2026-04-16 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1030 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data Transfer Size Limits

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Exfiltration

Popular Detections