PUA - Restic Backup Tool Execution
Detects the execution of the Restic backup tool, which can be used for data exfiltration. Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
Sigma rule (View on GitHub)
1title: PUA - Restic Backup Tool Execution
2id: 6ddff2e8-ea1a-45d0-8938-93dfc1d67ae7
3status: experimental
4description: |
5 Detects the execution of the Restic backup tool, which can be used for data exfiltration.
6 Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.
7 If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
8references:
9 - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
10 - https://restic.net/
11 - https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html
12author: Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-10-17
14tags:
15 - attack.exfiltration
16 - attack.t1048
17 - attack.t1567.002
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection_specific:
23 - CommandLine|contains|all:
24 - '--password-file'
25 - 'init'
26 - ' -r '
27 - CommandLine|contains|all:
28 - '--use-fs-snapshot'
29 - 'backup'
30 - ' -r '
31 selection_restic:
32 CommandLine|contains:
33 - 'sftp:'
34 - 'rest:http'
35 - 's3:s3.'
36 - 's3.http'
37 - 'azure:'
38 - ' gs:'
39 - 'rclone:'
40 - 'swift:'
41 - ' b2:'
42 CommandLine|contains|all:
43 - ' init '
44 - ' -r '
45 condition: 1 of selection_*
46falsepositives:
47 - Legitimate use of Restic for backup purposes within the organization.
48level: high
References
-
Key Takeaways In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deploy Sli…
Read More -
Introduction Restic is a modern backup program that can back up your files: from Linux, BSD, Mac and Windows to many different storage types, including self-hosted and online services easily, being...
Read More -
Preparing a new repository The place where your backups will be saved is called a “repository”. This is simply a directory containing a set of subdirectories and files created by restic to store yo...
Read More
Related rules
- DNS TOR Proxies
- Network Connection Initiated To Mega.nz
- Suspicious Dropbox API Usage
- Data Export From MSSQL Table Via BCP.EXE
- APT40 Dropbox Tool User Agent