Suspicious BlackCat-Related Exfiltration Command

Sep 1, 2023 · attack.exfiltration attack.t1020 attack.t1537 ·

Detects process execution of RClone or similar tools used by ransomware operators to exfiltrate data.

Sigma rule (View on GitHub)

 1title: Suspicious BlackCat-Related Exfiltration Command
 2id: 613624be-dabf-4562-b49b-c2fd45773556
 3status: experimental
 4description: Detects process execution of RClone or similar tools used by ransomware operators to exfiltrate data.
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
 7    - https://rclone.org/docs/
 8author: Micah Babinski
 9date: 2022/12/04
10tags:
11    - attack.exfiltration
12    - attack.t1020
13    - attack.t1537
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'copy'
21            - '--max-age'
22            - '--ignore-existing'
23            - '--multi-thread-streams'
24            - '--transfers'
25        CommandLine|contains:
26            - 'ftp'
27            - 'ssh'
28            - '-q'
29    condition: selection
30falsepositives:
31    - Legitimate use of rclone to manage files on cloud storage.
32level: high```

References

The many lives of BlackCat ransomware | Microsoft Security Blog

The use of an unconventional programming language, multiple target devices and possible entry points, and affiliation with prolific threat activity groups have made the BlackCat ransomware a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy.

Read More
Documentation

Rclone Usage

Read More

Suspicious BlackCat-Related Exfiltration Command

Sigma rule (View on GitHub)

References

The many lives of BlackCat ransomware | Microsoft Security Blog

Documentation

Related rules