Rclone Config File Creation
Detects Rclone config files being created
Sigma rule (View on GitHub)
1title: Rclone Config File Creation
2id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
3status: test
4description: Detects Rclone config files being created
5references:
6 - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
7author: Aaron Greetham (@beardofbinary) - NCC Group
8date: 2021-05-26
9modified: 2023-05-09
10tags:
11 - attack.exfiltration
12 - attack.t1567.002
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename|contains|all:
19 - ':\Users\'
20 - '\.config\rclone\'
21 condition: selection
22falsepositives:
23 - Legitimate Rclone usage
24level: medium
References
-
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
Read More
Related rules
- DNS Query To MEGA Hosting Website
- DNS Query To MEGA Hosting Website - DNS Client
- DNS Query To Ufile.io
- DNS Query To Ufile.io - DNS Client
- DNS Query for Anonfiles.com Domain - DNS Client