Rclone SMB Share Exfiltration

Feb 23, 2024 · attack.exfiltration attack.t1567.002 ·

Detection of a exfiltration activity using rclone from Windows network shares using SMB.

Sigma rule (View on GitHub)

 1title: Rclone SMB Share Exfiltration
 2id: 889bc648-5164-44f4-9388-fb5d6b58a7b2 
 3status: experimental
 4description: Detection of a exfiltration activity using rclone from Windows network shares using SMB.
 5author: TheDFIRReport
 6date: 2022-09-12
 7modified: 2023-01-08
 8references:
 9  - https://thedfirreport.com/
10logsource:
11  product: zeek
12  service: smb_files
13detection:
14  selection:
15    file_name|endswith:
16      - '\rclone.exe'
17  condition: selection
18falsepositives:
19  - Approved business backup processes.
20level: medium
21tags:
22  - attack.exfiltration
23  - attack.t1567.002

References

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

Read More

Related rules

DNS Query for Ufile.io Upload Domain
PUA - Rclone Execution
DNS Query for Anonfiles.com Domain - DNS Client
DNS Query for Anonfiles.com Domain - Sysmon
Rclone Activity via Proxy

Rclone SMB Share Exfiltration

Sigma rule (View on GitHub)

References

The DFIR Report

Related rules