MacOS Data Chunking is an anomaly detection rule designed to identify covert data exfiltration attempts by monitoring for unusual data chunking activities. It flags usage of commands typically employed to split or copy large files into smaller parts, such as dd and split, which can be used to evade size-based controls. The analytic leverages osquery endpoint data to detect specific process patterns (e.g., dd with wildcard arguments, split with -b) and correlates them with destination paths, original file names, and process lineage. When triggered, it surfaces a risk-oriented event indicating that a file was split on a given destination by a specific user and via a particular process, enabling analysts to investigate potential data leakage. The rule is intended for MacOS environments with osquery process auditing and is designed to be deployed across indexers and forwarders to populate the data models. False positives can occur from legitimate automation or administrative tasks; tuning of the filter macros is recommended to reduce such noise. This detection is aligned with macOS post-exploitation techniques and maps to MITRE ATT&CK technique T1030 (Data Obfuscation/T1095 as appropriate depending on interpretation) by focusing on data handling anomalies rather than static indicators.