blue-team-tools/rules/windows/process_creation/win_susp_rclone_execution.yml

title: Rclone Execution via Command Line or PowerShell
id: e37db05d-d1f9-49c8-b464-cee1a4b11638 
related:
    - id: a0d63692-a531-4912-ad39-4393325b2a9c
      type: obsoletes 
    - id: cb7286ba-f207-44ab-b9e6-760d82b84253
      type: obsoletes
description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
status: experimental
date: 2021/05/10
modified: 2021/10/24
author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group
references:
    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
    - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
    - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
logsource:
    product: windows
    category: process_creation
detection:
    detect_by_option:
        CommandLine|contains|all:
            - '--config '
            - '--no-check-certificate '
            - ' copy '
    exec_selection:
        Image|endswith: '\rclone.exe'
        ParentImage|endswith:
            - '\PowerShell.exe'
            - '\cmd.exe'
    command_selection:
        CommandLine|contains:
            - 'pass'
            - 'user'
            - 'copy'
            - 'sync'
            - 'config'
            - 'lsd'
            - 'remote'
            - 'ls'
            - 'mega'
            - 'pcloud'
            - 'ftp'
            - 'ignore-existing'
            - 'auto-confirm'
            - 'transfers'
            - 'multi-thread-streams'
            - 'no-check-certificate '
    description_selection:
        Description: 'Rsync for cloud storage'
    condition: detect_by_option or command_selection and ( description_selection or exec_selection )
fields:
    - CommandLine
    - ParentCommandLine
    - Details
tags:
    - attack.exfiltration
    - attack.t1567.002
falsepositives:
    - Legitimate RClone use
level: high