Rclone Activity via Proxy

Aug 12, 2024 · attack.exfiltration attack.t1567.002 ·

Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string

Sigma rule (View on GitHub)

 1title: Rclone Activity via Proxy
 2id: 2c03648b-e081-41a5-b9fb-7d854a915091
 3status: test
 4description: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
 5references:
 6    - https://rclone.org/
 7    - https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone
 8author: Janantha Marasinghe
 9date: 2022-10-18
10tags:
11    - attack.exfiltration
12    - attack.t1567.002
13logsource:
14    category: proxy
15detection:
16    selection:
17        c-useragent|startswith: 'rclone/v'
18    condition: selection
19fields:
20    - c-ip
21falsepositives:
22    - Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
23level: medium

References

Rclone

Rclone syncs your files to cloud storage: Google Drive, S3, Swift, Dropbox, Google Cloud Storage, Azure, Box and many more.

Read More
New M365 Business Email Compromise Attacks with Rclone | Kroll

Rclone is a data syncing tool often used by threat actors to exfiltrate data during a ransomware attack. Typically, the actors deploy Rclone after gaining remote access to the victim’s network. Read more.

Read More

Rclone Activity via Proxy

Sigma rule (View on GitHub)

References

Rclone

New M365 Business Email Compromise Attacks with Rclone | Kroll

Related rules