Rclone Activity via Proxy

 1title: Rclone Activity via Proxy
 2id: 2c03648b-e081-41a5-b9fb-7d854a915091
 3status: test
 4description: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
 5references:
 6    - https://rclone.org/
 7    - https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone
 8author: Janantha Marasinghe
 9date: 2022/10/18
10tags:
11    - attack.exfiltration
12    - attack.t1567.002
13logsource:
14    category: proxy
15detection:
16    selection:
17        c-useragent|startswith: 'rclone/v'
18    condition: selection
19fields:
20    - c-ip
21falsepositives:
22    - Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
23level: medium

References

• Rclone

  

  Rclone syncs your files to cloud storage: Google Drive, S3, Swift, Dropbox, Google Cloud Storage, Azure, Box and many more.

  
  Read More

• New M365 Business Email Compromise Attacks with Rclone | Kroll

  

  Rclone is a data syncing tool often used by threat actors to exfiltrate data during a ransomware attack. Typically, the actors deploy Rclone after gaining remote access to the victim’s network. Read more.

  
  Read More

Related rules

• DNS Query To MEGA Hosting Website
• DNS Query To MEGA Hosting Website - DNS Client
• DNS Query To Ufile.io
• DNS Query To Ufile.io - DNS Client
• Rclone Config File Creation