CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
e0936ab2d13ea9ba228c021e130bbad803a1fd1b
hayabusa/rules/sigma/process_creation/win_susp_rclone_execution.yml
DustInDark 0cfa806baf Feature/addruletype to sigma rule#230 (#235) 
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00

74 lines
2.0 KiB
YAML
Raw Blame History

title: Rclone Execution via Command Line or PowerShell
author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group
date: 2021/05/10
description: Detects execution of RClone utility for exfiltration as used by various
ransomwares strains like REvil, Conti, FiveHands, etc
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*--config *'
SELECTION_3:
CommandLine: '*--no-check-certificate *'
SELECTION_4:
CommandLine: '* copy *'
SELECTION_5:
CommandLine:
- '*pass*'
- '*user*'
- '*copy*'
- '*sync*'
- '*config*'
- '*lsd*'
- '*remote*'
- '*ls*'
- '*mega*'
- '*pcloud*'
- '*ftp*'
- '*ignore-existing*'
- '*auto-confirm*'
- '*transfers*'
- '*multi-thread-streams*'
- '*no-check-certificate *'
SELECTION_6:
EventID: 1
SELECTION_7:
Description: Rsync for cloud storage
SELECTION_8:
Image: '*\rclone.exe'
SELECTION_9:
ParentImage:
- '*\PowerShell.exe'
- '*\cmd.exe'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
and SELECTION_6 and (SELECTION_7 or (SELECTION_8 and SELECTION_9)))))
falsepositives:
- Legitimate RClone use
fields:
- CommandLine
- ParentCommandLine
- Details
id: e37db05d-d1f9-49c8-b464-cee1a4b11638
level: high
logsource:
category: process_creation
product: windows
modified: 2021/10/24
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
related:
- id: a0d63692-a531-4912-ad39-4393325b2a9c
type: obsoletes
- id: cb7286ba-f207-44ab-b9e6-760d82b84253
type: obsoletes
status: experimental
tags:
- attack.exfiltration
- attack.t1567.002
ruletype: SIGMA
Reference in New Issue View Git Blame Copy Permalink