Rclone Activity via Proxy

Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string

Sigma rule (View on GitHub)

 1title: Rclone Activity via Proxy
 2id: 2c03648b-e081-41a5-b9fb-7d854a915091
 3status: test
 4description: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
 5references:
 6    - https://rclone.org/
 7    - https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone
 8author: Janantha Marasinghe
 9date: 2022-10-18
10tags:
11    - attack.exfiltration
12    - attack.t1567.002
13logsource:
14    category: proxy
15detection:
16    selection:
17        c-useragent|startswith: 'rclone/v'
18    condition: selection
19fields:
20    - c-ip
21falsepositives:
22    - Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
23level: medium

References

Related rules

to-top