Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
title: Rclone config file creation
description: Detects Rclone config file being created
status: experimental
date: 2021/05/26
author: Aaron Greetham (@beardofbinary) - NCC Group
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
tags:
- attack.exfiltration
- attack.t1567.002
falsepositives:
- Legitimate Rclone usage (rare)
level: high
logsource:
product: windows
service: sysmon
category: file_event
detection:
file_selection:
EventID: 11
TargetFilename:
- 'C:\Users\*\.config\rclone\*'
condition: file_selection
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment