Detect Data Transfer Size Limits in Sumo Logic CSE
Adversaries may exfiltrate data in fixed size chunks instead of whole files, or limit packet sizes below certain thresholds, to avoid triggering network data transfer threshold alerts. Techniques include splitting archives into equal-sized volumes (e.g., 7-Zip -v flag, RAR split volumes), using tools like Rclone with chunker overlay, scripting custom byte-range reads, or configuring C2 implants with fixed send-buffer sizes. Real-world actors including APT28, LuminousMoth, Threat Group-3390, Play ransomware, and malware families like Cobalt Strike, POSHSPY, OopsIE, and StealBit all employ this technique. Detection pivots to file-system artifacts (sequentially numbered archive parts), process command-line analysis (volume-size flags on compression utilities), and network behavioral analysis (repeated uniform-size connections to the same external host).
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1030 Data Transfer Size Limits
- Canonical reference
- https://attack.mitre.org/techniques/T1030/
Sumo Detection Query
// Part 1: Process creation — compression/transfer tools with chunk/volume flags
(_sourceCategory=*windows* OR _sourceCategory=*endpoint* OR _sourceCategory=*sysmon*)
| where EventID = "1" or EventCode = "1"
| parse field=CommandLine "*" as cmd_full nodrop
| where (
(
Image matches "*\\7z.exe" or Image matches "*\\7za.exe" or Image matches "*\\7zr.exe"
or Image matches "*\\rar.exe" or Image matches "*\\WinRAR.exe" or Image matches "*\\rclone.exe"
or Image matches "*/7z" or Image matches "*/rclone"
)
and (
CommandLine matches "* -v*" or CommandLine matches "* /v*"
or CommandLine matches "*--max-size*" or CommandLine matches "*--chunk-size*"
or CommandLine matches "*chunker*" or CommandLine matches "*split -b*"
or CommandLine matches "*split -n*" or CommandLine matches "*--bytes*"
or CommandLine matches "*-v10m*" or CommandLine matches "*-v50m*"
or CommandLine matches "*-v100m*" or CommandLine matches "*-v500m*"
or CommandLine matches "*-v1g*"
)
)
| if (Image matches "*rclone*" and CommandLine matches "*chunker*", "RcloneChunker",
if (Image matches "*rclone*" and CommandLine matches "*--max-size*", "RcloneMaxSize",
if ((Image matches "*7z*") and (CommandLine matches "* -v*" or CommandLine matches "* /v*"), "SevenZipVolume",
if ((Image matches "*rar*" or Image matches "*winrar*") and (CommandLine matches "* -v*" or CommandLine matches "* /v*"), "RarVolume",
if (CommandLine matches "*split -b*" or CommandLine matches "*split -n*" or CommandLine matches "*--bytes*", "UnixSplit",
"GenericChunkFlag"))))) as SignalType
| eval DetectionSource = "ProcessCreation"
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, SignalType, DetectionSource
// Part 2 — run as separate query, then correlate:
// (_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
// | where EventID = "11" or EventCode = "11"
// | where TargetFilename matches "*.001" or TargetFilename matches "*.002"
// or TargetFilename matches "*.003" or TargetFilename matches "*.part1"
// or TargetFilename matches "*.part2" or TargetFilename matches "*.r00"
// or TargetFilename matches "*.r01" or TargetFilename matches "*.7z.001"
// or TargetFilename matches "*.zip.001" or TargetFilename matches "*.rar.001"
// | timeslice 10m
// | stats count as ChunkFileCount, values(TargetFilename) as ChunkFiles,
// first(Computer) as Host, first(User) as User, first(Image) as Process
// by _timeslice, Host
// | where ChunkFileCount >= 3
// | eval SignalType = "SequentialChunkFilesCreated"
// | eval DetectionSource = "FileCreation"
// | fields _timeslice, Host, User, Process, ChunkFiles, ChunkFileCount, SignalType, DetectionSourceDetects T1030 Data Transfer Size Limits in Sumo Logic by querying Windows/Sysmon process creation events (EventID 1) for known archive and transfer utilities (7-Zip, RAR/WinRAR, Rclone, Unix split) invoked with volume or chunk-size arguments. A secondary companion query (commented inline) targets Sysmon file creation events (EventID 11) matching sequential archive chunk filename patterns (.001, .part1, .r00, .7z.001) and aggregates over 10-minute windows, alerting when 3+ chunk files appear from the same host. Signal types are classified to match reference KQL/SPL detection categories.
Data Sources
Required Tables
False Positives & Tuning
- Routine IT backup jobs using WinRAR or 7-Zip with multi-volume flags to create archives sized for optical media, USB drives, or email attachment limits
- DevOps tooling (Rclone in cloud sync pipelines) configured with --max-size or chunker overlay to work within cloud provider upload constraints
- Pentest or red team engagements with authorized scope that include data staging using standard split-archive utilities
- Software build systems generating split distributables or patch packages with sequential volume numbering for enterprise software distribution
Other platforms for T1030
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Split file into fixed-size chunks using Unix split command
Expected signal: Linux auditd SYSCALL records for execve() invoking dd and split with arguments. Sysmon for Linux (if deployed) Event ID 1 (ProcessCreate) with Image=/usr/bin/split, CommandLine containing '-b 102400'. File creation events (Sysmon Event ID 11) for /tmp/argus_chunk_00, /tmp/argus_chunk_01, etc. The ls output confirms 5 files of approximately 100KB each.
- Test 2Create split 7-Zip archive with volume size flag
Expected signal: Sysmon Event ID 1 (Process Create): Image=C:\Program Files\7-Zip\7z.exe, CommandLine containing 'a -v1m' and the target path. Sysmon Event ID 11 (File Create): Multiple events for argus_exfil_chunks.7z.001 through .005 in %TEMP%. Security Event ID 4688 (if command line auditing enabled) with same process details. PowerShell/cmd parent process event visible if launched from a script.
- Test 3PowerShell fixed-size file chunking script (implant-style)
Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe, CommandLine containing ReadAllBytes, WriteAllBytes, and chunkSize=2048. Sysmon Event ID 11 (File Create): Multiple events for argus_chunk_000, argus_chunk_001, etc. in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 will capture the full chunking logic. No compression tool invocation — this tests the file-creation-based detection branch.
- Test 4Rclone file exfiltration with chunk size limit
Expected signal: Sysmon Event ID 1 (Process Create): Image=rclone.exe (or full path), CommandLine containing 'copy', '--max-size', '--transfers'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 3 (Network Connection) would fire if targeting a real remote — absent here due to local target. If rclone is not present the test exits gracefully with a message.
References (12)
- https://attack.mitre.org/techniques/T1030/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
- https://www.trendmicro.com/en_us/research/23/g/play-ransomware-spotlight.html
- https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-stealer-and-a-possible-china-nexus-link/
- https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
- https://www.mandiant.com/resources/blog/poshspy-backdoor-powershell
- https://www.welivesecurity.com/2018/12/05/forssh-kessel-run-ssh-botnet/
- https://unit42.paloaltonetworks.com/rdat-new-oilrig-backdoor/
- https://rclone.org/chunker/
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
- https://www.cybereason.com/blog/research/threat-analysis-report-stealbit-the-custom-exfiltration-tool-of-lockbit
- https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
Unlock Pro Content
Get the full detection package for T1030 including response playbook, investigation guide, and atomic red team tests.