title: Rclone Execution via Command Line or PowerShell id: e37db05d-d1f9-49c8-b464-cee1a4b11638 related: - id: a0d63692-a531-4912-ad39-4393325b2a9c type: obsoletes - id: cb7286ba-f207-44ab-b9e6-760d82b84253 type: obsoletes description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc status: experimental date: 2021/05/10 modified: 2021/10/24 author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html logsource: product: windows category: process_creation detection: detect_by_option: CommandLine|contains|all: - '--config ' - '--no-check-certificate ' - ' copy ' exec_selection: Image|endswith: '\rclone.exe' ParentImage|endswith: - '\PowerShell.exe' - '\cmd.exe' command_selection: CommandLine|contains: - 'pass' - 'user' - 'copy' - 'sync' - 'config' - 'lsd' - 'remote' - 'ls' - 'mega' - 'pcloud' - 'ftp' - 'ignore-existing' - 'auto-confirm' - 'transfers' - 'multi-thread-streams' - 'no-check-certificate ' description_selection: Description: 'Rsync for cloud storage' condition: detect_by_option or command_selection and ( description_selection or exec_selection ) fields: - CommandLine - ParentCommandLine - Details tags: - attack.exfiltration - attack.t1567.002 falsepositives: - Legitimate RClone use level: high