mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
33 lines
985 B
YAML
33 lines
985 B
YAML
title: RClone Execution
|
|
id: a0d63692-a531-4912-ad39-4393325b2a9c
|
|
status: experimental
|
|
description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
|
|
tags:
|
|
- attack.exfiltration
|
|
- attack.t1567.002
|
|
author: Bhabesh Raj
|
|
date: 2021/05/10
|
|
references:
|
|
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
|
|
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
|
|
- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
|
|
fields:
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
- Details
|
|
falsepositives:
|
|
- Legitimate RClone use
|
|
level: high
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
Description: 'Rsync for cloud storage'
|
|
selection2:
|
|
CommandLine|contains|all:
|
|
- '--config '
|
|
- '--no-check-certificate '
|
|
- ' copy '
|
|
condition: 1 of them
|