title: Rclone Config File Creation
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021/05/26
description: Detects Rclone config file being created
detection:
  SELECTION_1:
    EventID: 11
  SELECTION_2:
    TargetFilename: '*:\Users\\*'
  SELECTION_3:
    TargetFilename: '*\.config\rclone\\*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate Rclone usage (rare)
id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
level: high
logsource:
  category: file_event
  product: windows
modified: 2021/10/04
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
status: experimental
tags:
- attack.exfiltration
- attack.t1567.002
ruletype: SIGMA