Add: sigma rules (#175)

rules/sigma/windows/process_creation/sysmon_rclone_execution.yml

@@ -0,0 +1,53 @@
+
+title: RClone Execution
+author: Bhabesh Raj, Sittikorn S
+date: 2021/05/10
+description: Detects execution of RClone utility for exfiltration as used by various
+  ransomwares strains like REvil, Conti, FiveHands, etc
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Description: Rsync for cloud storage
+  SELECTION_3:
+    CommandLine: '*--config *'
+  SELECTION_4:
+    CommandLine: '*--no-check-certificate *'
+  SELECTION_5:
+    CommandLine: '* copy *'
+  SELECTION_6:
+    Image:
+    - '*\rclone.exe'
+  SELECTION_7:
+    CommandLine:
+    - '*mega*'
+    - '*pcloud*'
+    - '*ftp*'
+    - '*--progress*'
+    - '*--ignore-existing*'
+    - '*--auto-confirm*'
+    - '*--transfers*'
+    - '*--multi-thread-streams*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Legitimate RClone use
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: a0d63692-a531-4912-ad39-4393325b2a9c
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/29
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
+- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567.002