2022-10-18 10:15:33 +02:00
|
|
|
title: Rclone Activity via Proxy
|
2022-10-18 17:32:38 +11:00
|
|
|
id: 2c03648b-e081-41a5-b9fb-7d854a915091
|
2022-10-25 10:08:58 +02:00
|
|
|
status: experimental
|
2022-10-18 10:15:33 +02:00
|
|
|
description: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
|
2022-10-18 17:32:38 +11:00
|
|
|
references:
|
2022-10-25 10:08:58 +02:00
|
|
|
- https://rclone.org/
|
|
|
|
|
- https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone
|
|
|
|
|
author: Janantha Marasinghe
|
2022-10-18 17:32:38 +11:00
|
|
|
date: 2022/10/18
|
2022-10-18 10:15:33 +02:00
|
|
|
tags:
|
2022-10-25 10:08:58 +02:00
|
|
|
- attack.exfiltration
|
|
|
|
|
- attack.t1567.002
|
2022-10-18 17:32:38 +11:00
|
|
|
logsource:
|
2022-10-25 10:08:58 +02:00
|
|
|
category: proxy
|
2022-10-18 17:32:38 +11:00
|
|
|
detection:
|
2022-10-25 10:08:58 +02:00
|
|
|
selection:
|
|
|
|
|
c-useragent|startswith: 'rclone/v'
|
|
|
|
|
condition: selection
|
2022-10-18 17:32:38 +11:00
|
|
|
fields:
|
2022-10-25 10:08:58 +02:00
|
|
|
- c-ip
|
2022-10-18 17:32:38 +11:00
|
|
|
falsepositives:
|
2022-10-25 10:08:58 +02:00
|
|
|
- Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
|
2022-10-18 17:21:54 +02:00
|
|
|
level: medium
|
