title: Rclone Execution via Command Line or PowerShell
ruletype: Sigma
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021/05/26
description: Detects Rclone which is commonly used by ransomware groups for exfiltration
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine:
    - '* pass *'
    - '* user *'
    - '* copy *'
    - '* mega *'
    - '* sync *'
    - '* config *'
    - '* lsd *'
    - '* remote *'
    - '* ls *'
  SELECTION_3:
    Description: Rsync for cloud storage
  SELECTION_4:
    Image: '*\rclone.exe'
  SELECTION_5:
    ParentImage:
    - '*\PowerShell.exe'
    - '*\cmd.exe'
  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or (SELECTION_4 and SELECTION_5)))
falsepositives:
- Legitimate Rclone usage (rare)
id: cb7286ba-f207-44ab-b9e6-760d82b84253
level: high
logsource:
  category: process_creation
  product: windows
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
status: deprecated
tags:
- attack.exfiltration
- attack.t1567.002