detection.wiki

Detection rules › Sigma

PUA - Restic Backup Tool Execution

Severity
high
Author
Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detects the execution of the Restic backup tool, which can be used for data exfiltration. Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. If not legitimately used in the enterprise environment, its presence may indicate malicious activity.

MITRE ATT&CK coverage

TacticTechniques
ExfiltrationT1048 Exfiltration Over Alternative Protocol, T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: 1 of selection_specific

or:
CommandLine|contains: ' -r '
CommandLine|contains: --password-file
CommandLine|contains: init
CommandLine|contains: ' -r '
CommandLine|contains: --use-fs-snapshot
CommandLine|contains: backup

Stage 2: 1 of selection_restic

or:
CommandLine|contains: ' b2:'
CommandLine|contains: ' gs:'
CommandLine|contains: 'azure:'
CommandLine|contains: 'rclone:'
CommandLine|contains: 'rest:http'
CommandLine|contains: s3.http
CommandLine|contains: 's3:s3.'
CommandLine|contains: 'sftp:'
CommandLine|contains: 'swift:'
CommandLine|contains: ' -r '
CommandLine|contains: ' init '

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • -r corpus 2 (sigma 2)
  • b2:
  • gs:
  • init
  • --password-file
  • --use-fs-snapshot
  • azure:
  • backup corpus 4 (sigma 4)
  • init
  • rclone:
  • rest:http
  • s3.http
  • s3:s3.
  • sftp:
  • swift: