title: Rclone Execution via Command Line or PowerShell author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group date: 2021/05/10 description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc detection: SELECTION_1: EventID: 1 SELECTION_2: CommandLine: '*--config *' SELECTION_3: CommandLine: '*--no-check-certificate *' SELECTION_4: CommandLine: '* copy *' SELECTION_5: CommandLine: - '*pass*' - '*user*' - '*copy*' - '*sync*' - '*config*' - '*lsd*' - '*remote*' - '*ls*' - '*mega*' - '*pcloud*' - '*ftp*' - '*ignore-existing*' - '*auto-confirm*' - '*transfers*' - '*multi-thread-streams*' - '*no-check-certificate *' SELECTION_6: EventID: 1 SELECTION_7: Description: Rsync for cloud storage SELECTION_8: Image: '*\rclone.exe' SELECTION_9: ParentImage: - '*\PowerShell.exe' - '*\cmd.exe' condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5 and SELECTION_6 and (SELECTION_7 or (SELECTION_8 and SELECTION_9))))) falsepositives: - Legitimate RClone use fields: - CommandLine - ParentCommandLine - Details id: e37db05d-d1f9-49c8-b464-cee1a4b11638 level: high logsource: category: process_creation product: windows modified: 2021/10/24 references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html related: - id: a0d63692-a531-4912-ad39-4393325b2a9c type: obsoletes - id: cb7286ba-f207-44ab-b9e6-760d82b84253 type: obsoletes status: experimental tags: - attack.exfiltration - attack.t1567.002 ruletype: SIGMA