PUA - Rclone Execution

 1title: PUA - Rclone Execution
 2id: e37db05d-d1f9-49c8-b464-cee1a4b11638
 3related:
 4    - id: a0d63692-a531-4912-ad39-4393325b2a9c
 5      type: obsolete
 6    - id: cb7286ba-f207-44ab-b9e6-760d82b84253
 7      type: obsolete
 8status: test
 9description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
10references:
11    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
12    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
13    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
14    - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
15    - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
16author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group
17date: 2021-05-10
18modified: 2023-03-05
19tags:
20    - attack.exfiltration
21    - attack.t1567.002
22logsource:
23    product: windows
24    category: process_creation
25detection:
26    selection_specific_options:
27        CommandLine|contains|all:
28            - '--config '
29            - '--no-check-certificate '
30            - ' copy '
31    selection_rclone_img:
32        - Image|endswith: '\rclone.exe'
33        - Description: 'Rsync for cloud storage'
34    selection_rclone_cli:
35        CommandLine|contains:
36            - 'pass'
37            - 'user'
38            - 'copy'
39            - 'sync'
40            - 'config'
41            - 'lsd'
42            - 'remote'
43            - 'ls'
44            - 'mega'
45            - 'pcloud'
46            - 'ftp'
47            - 'ignore-existing'
48            - 'auto-confirm'
49            - 'transfers'
50            - 'multi-thread-streams'
51            - 'no-check-certificate '
52    condition: selection_specific_options or all of selection_rclone_*
53fields:
54    - CommandLine
55    - ParentCommandLine
56    - Details
57falsepositives:
58    - Unknown
59level: high

References

• NCC Group’s Cyber Incident Response Team (CIRT) have responded to a large number of ransomware cases where frequently the open source tool Rclone being used for data exfiltration. Rclone provides a...

  
  Read More

• Sodinokibi (aka REvil) Ransomware

  

  Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind the Travelex intrus…

  
  Read More

• FiveHands Ransomware | CISA

  Initial Access The initial access vector was a zero-day vulnerability in a virtual private network (VPN) product (Exploit Public-Facing Application [T1190]). Publicly Available Tool: SoftPerfect Ne...

  
  Read More

• Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone - SentinelLabs

  

  Egregor ransomware is one of the more aggressive and complex RaaS families to date, with password-protected payloads designed to evade analysis.

  
  Read More

• DarkSide Ransomware: Splunk Threat Update and Detections | Splunk

  

  Splunk Threat Research Team (STRT) replicated the DarkSide Ransomware Attack and has released an Analytic Story with several detection searches directed at community shared IOCs.

  
  Read More

Related rules

• APT40 Dropbox Tool User Agent
• DNS Query To MEGA Hosting Website
• DNS Query To MEGA Hosting Website - DNS Client
• DNS Query To Ufile.io
• DNS Query To Ufile.io - DNS Client