T1030 Google Chronicle · YARA-L

Detect Data Transfer Size Limits in Google Chronicle

Adversaries may exfiltrate data in fixed size chunks instead of whole files, or limit packet sizes below certain thresholds, to avoid triggering network data transfer threshold alerts. Techniques include splitting archives into equal-sized volumes (e.g., 7-Zip -v flag, RAR split volumes), using tools like Rclone with chunker overlay, scripting custom byte-range reads, or configuring C2 implants with fixed send-buffer sizes. Real-world actors including APT28, LuminousMoth, Threat Group-3390, Play ransomware, and malware families like Cobalt Strike, POSHSPY, OopsIE, and StealBit all employ this technique. Detection pivots to file-system artifacts (sequentially numbered archive parts), process command-line analysis (volume-size flags on compression utilities), and network behavioral analysis (repeated uniform-size connections to the same external host).

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1030 Data Transfer Size Limits
Canonical reference
https://attack.mitre.org/techniques/T1030/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1030_data_transfer_size_limits {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1030 Data Transfer Size Limits — compression/transfer tools invoked with volume splitting or chunk-size flags, and sequential chunk archive file creation. Covers 7-Zip, RAR/WinRAR, Rclone, and Unix split."
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1030"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1030/"
    severity = "MEDIUM"
    priority = "MEDIUM"
    version = "1.0"
    created = "2026-04-16"
    platforms = "Windows, Linux"

  events:
    // Signal 1: Process creation with chunk/volume flags on known tools
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.hostname = $hostname
    (
      re.regex($proc.target.process.file.full_path, `(?i)(7z\.exe|7za\.exe|7zr\.exe|rar\.exe|winrar\.exe|rclone\.exe|/7z$|/7za$|/rclone$|/rar$)`) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|bash|/sh$)`) and
        re.regex($proc.target.process.command_line, `(?i)(\s-v\s|\s/v\s|--max-size|--chunk-size|chunker|split\s-b|split\s-n|--bytes|-v[0-9]+[kmg])`)
      )
    )
    re.regex($proc.target.process.command_line, `(?i)(\s-v[\s0-9]|\s/v[\s0-9]|\s-v[0-9]|--max-size|--chunk-size|chunker|split\s-b|split\s-n|--bytes|-v10m|-v50m|-v100m|-v500m|-v1g|-v1024)`)

  match:
    $hostname over 10m

  outcome:
    $risk_score = max(
      if($proc.target.process.file.full_path = "/rclone/" and re.regex($proc.target.process.command_line, "chunker"), 85,
         if($proc.target.process.file.full_path = "/rclone/" and re.regex($proc.target.process.command_line, "--max-size"), 80,
            if(re.regex($proc.target.process.file.full_path, `(?i)(7z|7za|7zr)\.exe`) and re.regex($proc.target.process.command_line, `(\s-v|\s/v)`), 75,
               if(re.regex($proc.target.process.file.full_path, `(?i)(rar|winrar)\.exe`) and re.regex($proc.target.process.command_line, `(\s-v|\s/v)`), 75,
                  65)
            )
         )
      )
    )
    $signal_type = if(
      re.regex($proc.target.process.file.full_path, `(?i)rclone`) and re.regex($proc.target.process.command_line, `chunker`), "RcloneChunker",
      if(re.regex($proc.target.process.file.full_path, `(?i)rclone`) and re.regex($proc.target.process.command_line, `--max-size`), "RcloneMaxSize",
         if(re.regex($proc.target.process.file.full_path, `(?i)(7z|7za|7zr)\.exe`) and re.regex($proc.target.process.command_line, `(\s-v|\s/v)`), "SevenZipVolume",
            if(re.regex($proc.target.process.file.full_path, `(?i)(rar|winrar)\.exe`) and re.regex($proc.target.process.command_line, `(\s-v|\s/v)`), "RarVolume",
               if(re.regex($proc.target.process.command_line, `split\s-[bn]|--bytes`), "UnixSplit",
                  "GenericChunkFlag"))))
    )

  condition:
    $proc
}

rule t1030_sequential_chunk_files {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1030 Data Transfer Size Limits — 3 or more sequentially numbered archive chunk files created on the same host within 10 minutes, indicating active data chunking for exfiltration."
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1030"
    severity = "MEDIUM"
    priority = "MEDIUM"
    version = "1.0"
    created = "2026-04-16"

  events:
    $file.metadata.event_type = "FILE_CREATION"
    $file.principal.hostname = $hostname
    re.regex($file.target.file.full_path,
      `(?i)(\.(00[1-9]|0[1-9][0-9]|[0-9]{3})$|\.part[0-9]{1,4}$|\.r[0-9]{2}$|(7z|zip|rar|tar|gz|bz2)\.[0-9]{1,3}$)`
    )

  match:
    $hostname over 10m

  outcome:
    $risk_score = 70
    $chunk_count = count($file.target.file.full_path)
    $signal_type = "SequentialChunkFilesCreated"

  condition:
    #file >= 3
}
medium severity high confidence

Two Chronicle YARA-L 2.0 rules detecting T1030 Data Transfer Size Limits. Rule 1 (t1030_data_transfer_size_limits) matches process launch events where 7-Zip, RAR/WinRAR, Rclone, or shell interpreters are invoked with volume-splitting or chunk-size flags (-v, /v, --max-size, --chunk-size, chunker, split -b/n) using UDM process fields. Risk scoring and signal type classification are computed as outcomes. Rule 2 (t1030_sequential_chunk_files) matches FILE_CREATION events with sequentially numbered archive chunk filename patterns and triggers when 3+ such files appear on the same host within a 10-minute window.

Data Sources

Google Chronicle SIEMChronicle Unified Data Model (UDM)Windows Sysmon via Chronicle ForwarderMicrosoft Defender for Endpoint via Chronicle ingestionCrowdStrike Falcon via Chronicle ingestion

Required Tables

UDM PROCESS_LAUNCH eventsUDM FILE_CREATION events

False Positives & Tuning

  • Legitimate enterprise backup solutions (Veeam, Commvault, Backup Exec) generating split archives with sequential chunk naming as part of scheduled data protection jobs
  • Rclone usage by cloud platform engineers performing authorized migrations between cloud storage providers with size-limited chunker configurations
  • Software packaging automation in build pipelines creating multi-volume archives for artifact distribution, particularly for large binary releases
  • IT asset management tools or MDM platforms staging software packages in split volumes for distribution to endpoints over bandwidth-constrained links
Download portable Sigma rule (.yml)

Other platforms for T1030

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Split file into fixed-size chunks using Unix split command

    Expected signal: Linux auditd SYSCALL records for execve() invoking dd and split with arguments. Sysmon for Linux (if deployed) Event ID 1 (ProcessCreate) with Image=/usr/bin/split, CommandLine containing '-b 102400'. File creation events (Sysmon Event ID 11) for /tmp/argus_chunk_00, /tmp/argus_chunk_01, etc. The ls output confirms 5 files of approximately 100KB each.

  2. Test 2Create split 7-Zip archive with volume size flag

    Expected signal: Sysmon Event ID 1 (Process Create): Image=C:\Program Files\7-Zip\7z.exe, CommandLine containing 'a -v1m' and the target path. Sysmon Event ID 11 (File Create): Multiple events for argus_exfil_chunks.7z.001 through .005 in %TEMP%. Security Event ID 4688 (if command line auditing enabled) with same process details. PowerShell/cmd parent process event visible if launched from a script.

  3. Test 3PowerShell fixed-size file chunking script (implant-style)

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe, CommandLine containing ReadAllBytes, WriteAllBytes, and chunkSize=2048. Sysmon Event ID 11 (File Create): Multiple events for argus_chunk_000, argus_chunk_001, etc. in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 will capture the full chunking logic. No compression tool invocation — this tests the file-creation-based detection branch.

  4. Test 4Rclone file exfiltration with chunk size limit

    Expected signal: Sysmon Event ID 1 (Process Create): Image=rclone.exe (or full path), CommandLine containing 'copy', '--max-size', '--transfers'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 3 (Network Connection) would fire if targeting a real remote — absent here due to local target. If rclone is not present the test exits gracefully with a message.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1030 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1560Archive Collected DataT1560.001Archive via UtilityT1074Data StagedT1074.001Local Data StagingT1048Exfiltration Over Alternative ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1567Exfiltration Over Web ServiceT1567.002Exfiltration to Cloud StorageT1029Scheduled TransferT1020Automated ExfiltrationT1071.001Web Protocols

Same Tactic: Exfiltration

Popular Detections