From f34c32882ad225d06925f938a06f93c1ad40c398 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 18 Oct 2022 17:32:38 +1100 Subject: [PATCH 1/3] proxy_ua_rclone.yml Adding this rule after reading https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone. It is more relevant to O365 but it may help via proxy too if this off O365. --- rules/proxy/proxy_ua_rclone.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/proxy/proxy_ua_rclone.yml diff --git a/rules/proxy/proxy_ua_rclone.yml b/rules/proxy/proxy_ua_rclone.yml new file mode 100644 index 000000000..b07250092 --- /dev/null +++ b/rules/proxy/proxy_ua_rclone.yml @@ -0,0 +1,29 @@ +title: Detect Rclone activity via Proxy +id: 2c03648b-e081-41a5-b9fb-7d854a915091 +status: Experimental +description: Detects rclone via its default user-agent string when HTTP protocol is used for transmission of data. +author: Janantha Marasinghe +references: + - https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone +date: 2022/10/18 +modified: 2022/10/18 +logsource: + category: proxy +detection: + selection: + c-useragent: 'rclone\*' + cs-method: + -'POST' + -'GET' + -'PUT' + condition: selection +fields: + - c-uri + - c-ip + - c-useragent +falsepositives: + - Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations. +level: high +tags: + - attack.exfiltration + - attack.t1567.002 From 458428bf5fc796b3cdc95d31f4750e72b1ad1f8d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 18 Oct 2022 10:15:33 +0200 Subject: [PATCH 2/3] Update proxy_ua_rclone.yml --- rules/proxy/proxy_ua_rclone.yml | 42 ++++++++++++++------------------- 1 file changed, 18 insertions(+), 24 deletions(-) diff --git a/rules/proxy/proxy_ua_rclone.yml b/rules/proxy/proxy_ua_rclone.yml index b07250092..1f9088300 100644 --- a/rules/proxy/proxy_ua_rclone.yml +++ b/rules/proxy/proxy_ua_rclone.yml @@ -1,29 +1,23 @@ -title: Detect Rclone activity via Proxy +title: Rclone Activity via Proxy id: 2c03648b-e081-41a5-b9fb-7d854a915091 -status: Experimental -description: Detects rclone via its default user-agent string when HTTP protocol is used for transmission of data. +status: experimental +description: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string author: Janantha Marasinghe references: - - https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone + - https://rclone.org/ + - https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone date: 2022/10/18 -modified: 2022/10/18 -logsource: - category: proxy -detection: - selection: - c-useragent: 'rclone\*' - cs-method: - -'POST' - -'GET' - -'PUT' - condition: selection -fields: - - c-uri - - c-ip - - c-useragent -falsepositives: - - Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations. -level: high tags: - - attack.exfiltration - - attack.t1567.002 + - attack.exfiltration + - attack.t1567.002 +logsource: + category: proxy +detection: + selection: + c-useragent|startswith: 'rclone/v' + condition: selection +fields: + - c-ip +falsepositives: + - Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations +level: high From eada6ed58973024a311c58b5d60248a7ad69d129 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 18 Oct 2022 17:21:54 +0200 Subject: [PATCH 3/3] Update proxy_ua_rclone.yml --- rules/proxy/proxy_ua_rclone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ua_rclone.yml b/rules/proxy/proxy_ua_rclone.yml index 1f9088300..706bc3437 100644 --- a/rules/proxy/proxy_ua_rclone.yml +++ b/rules/proxy/proxy_ua_rclone.yml @@ -20,4 +20,4 @@ fields: - c-ip falsepositives: - Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations -level: high +level: medium