title: Data Transfer Size Limits (T1030)
id: df00tech-t1030
status: experimental
description: "Adversaries may exfiltrate data in fixed size chunks instead of whole files, or limit packet sizes below certain thresholds, to avoid triggering network data transfer threshold alerts. Techniques include splitting archives into equal-sized volumes (e.g., 7-Zip -v flag, RAR split volumes), using tools like Rclone with chunker overlay, scripting custom byte-range reads, or configuring C2 implants with fixed send-buffer sizes. Real-world actors including APT28, LuminousMoth, Threat Group-3390, Play ransomware, and malware families like Cobalt Strike, POSHSPY, OopsIE, and StealBit all employ this technique. Detection pivots to file-system artifacts (sequentially numbered archive parts), process command-line analysis (volume-size flags on compression utilities), and network behavioral analysis (repeated uniform-size connections to the same external host)."
references:
  - https://attack.mitre.org/techniques/T1030/
  - https://df00tech.com/detections/T1030
author: df00tech
date: 2026/04/16
tags:
  - attack.t1030
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate backup software (Veeam, Backup Exec, Acronis) that splits archive volumes by size for storage media compatibility"
  - IT administrators manually splitting large log archives or database exports for transfer to off-site storage or ticketing systems
  - "Cloud sync tools (Rclone, rsync wrappers) configured by ops teams to use chunk uploads to cloud storage (S3, GCS, Azure Blob) for large dataset transfers"
  - Software release pipelines splitting large installation packages into volumes for distribution via CD/DVD-size constraints
  - "Developers using split/7z for legitimate data migration tasks, especially around quarter-end when large data sets are archived"
level: medium