Rclone Config File Creation

 1title: Rclone Config File Creation
 2id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
 3status: test
 4description: Detects Rclone config files being created
 5references:
 6    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
 7author: Aaron Greetham (@beardofbinary) - NCC Group
 8date: 2021-05-26
 9modified: 2023-05-09
10tags:
11    - attack.exfiltration
12    - attack.t1567.002
13logsource:
14    product: windows
15    category: file_event
16detection:
17    selection:
18        TargetFilename|contains|all:
19            - ':\Users\'
20            - '\.config\rclone\'
21    condition: selection
22falsepositives:
23    - Legitimate Rclone usage
24level: medium

References

• NCC Group’s Cyber Incident Response Team (CIRT) have responded to a large number of ransomware cases where frequently the open source tool Rclone being used for data exfiltration. Rclone provides a...

  
  Read More

Related rules

• APT40 Dropbox Tool User Agent
• DNS Query To MEGA Hosting Website
• DNS Query To MEGA Hosting Website - DNS Client
• DNS Query To Ufile.io
• DNS Query To Ufile.io - DNS Client