title: RClone Execution
author: Bhabesh Raj, Sittikorn S
date: 2021/05/10
description: Detects execution of RClone utility for exfiltration as used by various
  ransomwares strains like REvil, Conti, FiveHands, etc
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Description: Rsync for cloud storage
  SELECTION_3:
    CommandLine: '*--config *'
  SELECTION_4:
    CommandLine: '*--no-check-certificate *'
  SELECTION_5:
    CommandLine: '* copy *'
  SELECTION_6:
    Image:
    - '*\rclone.exe'
  SELECTION_7:
    CommandLine:
    - '*mega*'
    - '*pcloud*'
    - '*ftp*'
    - '*--progress*'
    - '*--ignore-existing*'
    - '*--auto-confirm*'
    - '*--transfers*'
    - '*--multi-thread-streams*'
  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5)
    or (SELECTION_6 and SELECTION_7)))
falsepositives:
- Legitimate RClone use
fields:
- CommandLine
- ParentCommandLine
- Details
id: a0d63692-a531-4912-ad39-4393325b2a9c
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/06/29
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
status: experimental
tags:
- attack.exfiltration
- attack.t1567.002