Detect Data Transfer Size Limits in Microsoft Sentinel
Adversaries may exfiltrate data in fixed size chunks instead of whole files, or limit packet sizes below certain thresholds, to avoid triggering network data transfer threshold alerts. Techniques include splitting archives into equal-sized volumes (e.g., 7-Zip -v flag, RAR split volumes), using tools like Rclone with chunker overlay, scripting custom byte-range reads, or configuring C2 implants with fixed send-buffer sizes. Real-world actors including APT28, LuminousMoth, Threat Group-3390, Play ransomware, and malware families like Cobalt Strike, POSHSPY, OopsIE, and StealBit all employ this technique. Detection pivots to file-system artifacts (sequentially numbered archive parts), process command-line analysis (volume-size flags on compression utilities), and network behavioral analysis (repeated uniform-size connections to the same external host).
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1030 Data Transfer Size Limits
- Canonical reference
- https://attack.mitre.org/techniques/T1030/
KQL Detection Query
// T1030 — Data Transfer Size Limits
// Part 1: Process creation — compression/transfer tools with volume/chunk-size flags
let SplittingTools = dynamic(["7z.exe","7za.exe","7zr.exe","rar.exe","winrar.exe","rclone.exe","split"]);
let VolumeFlagPatterns = dynamic([
" -v", "/v", "-volume", "--max-size", "--chunk-size",
"chunker", "split -b", "split -n", "--bytes",
"-v10m","-v50m","-v100m","-v500m","-v1g","-v1024"
]);
let ChunkResults =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (SplittingTools)
or (FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","bash","sh") and ProcessCommandLine has_any (VolumeFlagPatterns))
| where ProcessCommandLine has_any (VolumeFlagPatterns)
| extend SignalType = case(
FileName =~ "rclone.exe" and ProcessCommandLine has "chunker", "RcloneChunker",
FileName =~ "rclone.exe" and ProcessCommandLine has "--max-size", "RcloneMaxSize",
FileName in~ ("7z.exe","7za.exe","7zr.exe") and ProcessCommandLine has_any ("-v","/v"), "SevenZipVolume",
FileName in~ ("rar.exe","winrar.exe") and ProcessCommandLine has_any ("-v","/v"), "RarVolume",
ProcessCommandLine has_any ("split -b","split -n","--bytes"), "UnixSplit",
"GenericChunkFlag"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, SignalType;
// Part 2: File creation — sequentially numbered archive chunk files appearing in bursts
let ChunkFileResults =
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName matches regex @"(?i)\.(00[1-9]|0[1-9][0-9]|[0-9]{3})$"
or FileName matches regex @"(?i)\.(7z|zip|rar|tar|gz|bz2)\.[0-9]{1,3}$"
or FileName matches regex @"(?i)\.part[0-9]{1,4}$"
or FileName matches regex @"(?i)\.r[0-9]{2}$"
| summarize
ChunkCount = count(),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp),
SampleFiles = make_set(FileName, 10),
FolderPaths = make_set(FolderPath, 5)
by DeviceName, AccountName, InitiatingProcessFileName, bin(Timestamp, 10m)
| where ChunkCount >= 3
| extend SignalType = "SequentialChunkFilesCreated"
| project
Timestamp = FirstSeen, DeviceName, AccountName,
FileName = tostring(SampleFiles),
ProcessCommandLine = strcat("ChunkCount=", ChunkCount, " Folder=", tostring(FolderPaths)),
InitiatingProcessFileName,
InitiatingProcessCommandLine = "",
SignalType;
union ChunkResults, ChunkFileResults
| sort by Timestamp descDetects data chunking for exfiltration via two correlated signals: (1) process creation events where compression or sync tools (7-Zip, WinRAR, Rclone, Unix split) are invoked with volume-size or chunk-size flags that indicate deliberate file splitting, and (2) file creation bursts of sequentially numbered archive parts (e.g., .001/.002/.003, .part1/.part2, .r00/.r01) appearing within a 10-minute window. Results from both signals are unioned with a SignalType label so analysts can quickly distinguish command-line evidence from filesystem artifacts.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate backup software (Veeam, Backup Exec, Acronis) that splits archive volumes by size for storage media compatibility
- IT administrators manually splitting large log archives or database exports for transfer to off-site storage or ticketing systems
- Cloud sync tools (Rclone, rsync wrappers) configured by ops teams to use chunk uploads to cloud storage (S3, GCS, Azure Blob) for large dataset transfers
- Software release pipelines splitting large installation packages into volumes for distribution via CD/DVD-size constraints
- Developers using split/7z for legitimate data migration tasks, especially around quarter-end when large data sets are archived
Other platforms for T1030
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Split file into fixed-size chunks using Unix split command
Expected signal: Linux auditd SYSCALL records for execve() invoking dd and split with arguments. Sysmon for Linux (if deployed) Event ID 1 (ProcessCreate) with Image=/usr/bin/split, CommandLine containing '-b 102400'. File creation events (Sysmon Event ID 11) for /tmp/argus_chunk_00, /tmp/argus_chunk_01, etc. The ls output confirms 5 files of approximately 100KB each.
- Test 2Create split 7-Zip archive with volume size flag
Expected signal: Sysmon Event ID 1 (Process Create): Image=C:\Program Files\7-Zip\7z.exe, CommandLine containing 'a -v1m' and the target path. Sysmon Event ID 11 (File Create): Multiple events for argus_exfil_chunks.7z.001 through .005 in %TEMP%. Security Event ID 4688 (if command line auditing enabled) with same process details. PowerShell/cmd parent process event visible if launched from a script.
- Test 3PowerShell fixed-size file chunking script (implant-style)
Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe, CommandLine containing ReadAllBytes, WriteAllBytes, and chunkSize=2048. Sysmon Event ID 11 (File Create): Multiple events for argus_chunk_000, argus_chunk_001, etc. in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 will capture the full chunking logic. No compression tool invocation — this tests the file-creation-based detection branch.
- Test 4Rclone file exfiltration with chunk size limit
Expected signal: Sysmon Event ID 1 (Process Create): Image=rclone.exe (or full path), CommandLine containing 'copy', '--max-size', '--transfers'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 3 (Network Connection) would fire if targeting a real remote — absent here due to local target. If rclone is not present the test exits gracefully with a message.
References (12)
- https://attack.mitre.org/techniques/T1030/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
- https://www.trendmicro.com/en_us/research/23/g/play-ransomware-spotlight.html
- https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-stealer-and-a-possible-china-nexus-link/
- https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
- https://www.mandiant.com/resources/blog/poshspy-backdoor-powershell
- https://www.welivesecurity.com/2018/12/05/forssh-kessel-run-ssh-botnet/
- https://unit42.paloaltonetworks.com/rdat-new-oilrig-backdoor/
- https://rclone.org/chunker/
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
- https://www.cybereason.com/blog/research/threat-analysis-report-stealbit-the-custom-exfiltration-tool-of-lockbit
- https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
Unlock Pro Content
Get the full detection package for T1030 including response playbook, investigation guide, and atomic red team tests.