title: Rclone Config File Creation
id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
description: Detects Rclone config file being created
status: experimental
date: 2021/05/26
modified: 2021/06/27
author: Aaron Greetham (@beardofbinary) - NCC Group
references:
    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
tags:
    - attack.exfiltration
    - attack.t1567.002
falsepositives:
    - Legitimate Rclone usage (rare)
level: high 
logsource:
    product: windows
    category: file_event
detection:
    file_selection:
        EventID: 11
        TargetFilename|contains|all:
            - ':\Users\'
            - '\.config\rclone\'
    condition: file_selection