Potential Data Exfiltration via Rclone

 1[metadata]
 2creation_date = "2026/03/18"
 3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
 4maturity = "production"
 5updated_date = "2026/03/18"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies abuse of rclone (or a renamed copy, e.g. disguised as a security or backup utility) to exfiltrate data to
11cloud storage or remote endpoints. Rclone is a legitimate file sync tool; threat actors rename it to blend with
12administrative traffic and use copy/sync with cloud backends (e.g. :s3:) and include filters to exfiltrate specific
13file types.
14"""
15from = "now-9m"
16index = [
17    "endgame-*",
18    "logs-crowdstrike.fdr*",
19    "logs-endpoint.events.process-*",
20    "logs-m365_defender.event-*",
21    "logs-sentinel_one_cloud_funnel.*",
22    "logs-system.security*",
23    "logs-windows.sysmon_operational-*",
24    "winlogbeat-*",
25]
26language = "eql"
27license = "Elastic License v2"
28name = "Potential Data Exfiltration via Rclone"
29note = """## Triage and analysis
30
31### Investigating Potential Data Exfiltration via Rclone
32
33Rclone is a legitimate file synchronization tool. Threat actors abuse it (often renamed, e.g. to TrendFileSecurityCheck.exe) to exfiltrate data to S3, HTTP endpoints, or other cloud backends, using `copy`/`sync` with `--include` filters and high `--transfers` to move specific file types at scale.
34
35### Possible investigation steps
36
37- Confirm the command line for `copy`/`sync`, cloud backend (e.g. `:s3:`, `:http`), and options like `--include`, `--transfers`, `-P`.
38- If the process name is not `rclone.exe`, compare with `process.pe.original_file_name`; a mismatch indicates a renamed copy used to evade name-based detection.
39- From the command line, identify the source path (e.g. UNC or local) and the remote backend (S3 bucket, HTTP endpoint) as the exfil destination.
40- Review `--include`/`--exclude` and `--max-age`/`--max-size` to understand what data was targeted (documents, CAD, archives, etc.).
41- Correlate with the process executable path (recently dropped?), parent process, and user; look for outbound network to the same backend.
42
43### False positive analysis
44
45- Legitimate backup or sync jobs using rclone from a known path and config may trigger; allowlist by process path or `--config` path for approved rclone usage.
46
47### Response and remediation
48
49- Terminate the rclone process and isolate the host if exfiltration is confirmed.
50- Identify and revoke access to the destination (S3 bucket, API keys, etc.); preserve logs for the exfil session.
51- Determine scope of data exposed and notify stakeholders; rotate credentials and secrets that may have been in exfiltrated paths.
52"""
53references = [
54    "https://attack.mitre.org/techniques/T1048/",
55    "https://rclone.org/commands/rclone_copy/",
56]
57risk_score = 47
58rule_id = "3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e"
59severity = "medium"
60tags = [
61    "Domain: Endpoint",
62    "OS: Windows",
63    "Use Case: Threat Detection",
64    "Tactic: Exfiltration",
65    "Resources: Investigation Guide",
66    "Data Source: Elastic Defend",
67    "Data Source: Sysmon",
68    "Data Source: SentinelOne",
69    "Data Source: Microsoft Defender for Endpoint",
70    "Data Source: Crowdstrike",
71    "Data Source: Elastic Endgame", 
72    "Data Source: Windows Security Event Logs"
73]
74timestamp_override = "event.ingested"
75type = "eql"
76
77query = '''
78process where host.os.type == "windows" and event.type == "start" and
79 (process.name : "rclone.exe" or ?process.pe.original_file_name == "rclone.exe") and process.args : ("copy", "sync") and
80  not process.args : ("--config=?:\\Program Files\\rclone\\config\\rclone\\rclone.conf", "--config=?:\\Program Files (x86)\\rclone\\config\\rclone\\rclone.conf") and 
81  not process.executable : ("?:\\Program Files*", "\\Device\\HarddiskVolume*\\Program Files*")
82'''
83
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1048"
89name = "Exfiltration Over Alternative Protocol"
90reference = "https://attack.mitre.org/techniques/T1048/"
91
92[rule.threat.tactic]
93id = "TA0010"
94name = "Exfiltration"
95reference = "https://attack.mitre.org/tactics/TA0010/"