PUA - Rclone Execution

Severity: high
Author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group
Source: upstream

Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc

MITRE ATT&CK coverage

Tactic	Techniques
Exfiltration	`T1567.002` Exfiltration Over Web Service: Exfiltration to Cloud Storage

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection_specific_options`

CommandLine|contains: ' copy '
CommandLine|contains: '--config '
CommandLine|contains: '--no-check-certificate '

Stage 2: `all of selection_rclone_img`

or:
Description: 'Rsync for cloud storage'
Image|endswith: '\rclone.exe'

Stage 3: `all of selection_rclone_cli`

or:
CommandLine|contains: auto-confirm
CommandLine|contains: config
CommandLine|contains: copy
CommandLine|contains: ftp
CommandLine|contains: ignore-existing
CommandLine|contains: ls
CommandLine|contains: lsd
CommandLine|contains: mega
CommandLine|contains: multi-thread-streams
CommandLine|contains: 'no-check-certificate '
CommandLine|contains: pass
CommandLine|contains: pcloud
CommandLine|contains: remote
CommandLine|contains: sync
CommandLine|contains: transfers
CommandLine|contains: user

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`copy` corpus 4 (sigma 4) `--config` `--no-check-certificate` `auto-confirm` `config` corpus 8 (sigma 8) `copy` corpus 3 (sigma 3) `ftp` corpus 2 (sigma 2) `ignore-existing` `ls` `lsd` `mega` `multi-thread-streams` `no-check-certificate` `pass` `pcloud` `remote` `sync` `transfers` `user` corpus 4 (sigma 4)
`Description`	eq	`Rsync for cloud storage`
`Image`	ends_with	`\rclone.exe`