title: RClone Execution
id: a0d63692-a531-4912-ad39-4393325b2a9c
status: experimental
description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
tags:
    - attack.exfiltration
    - attack.t1567.002
author: Bhabesh Raj
date: 2021/05/10
references:
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
    - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
fields:
    - CommandLine
    - ParentCommandLine
    - Details
falsepositives:
    - Legitimate RClone use
level: high
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Description: 'Rsync for cloud storage'
    selection2:
        CommandLine|contains|all:
            - '--config '
            - '--no-check-certificate '
            - ' copy '
    condition: 1 of them