KQL Search

Query Details

HomeAI ToolsDevice Query

Rclone Copy Process Args

Query

//Any use of rclone should be heavily scrutinzed in the environment. It is a common binary to see attackers use to get data out
// Definitely block the usage of rclone as a binary and as a cloud app (by denying consent)
//Make sure to block rclone.org and https://github.com/rclone/rclone
let rclone_args = pack_array('copy','ignore-existing','auto-confirm'); //not including binary name in here here in case attacker renames binary.
DeviceProcessEvents 
| where TimeGenerated >ago(90d)
| where ProcessCommandLine has_all(rclone_args) or ProcessCommandLine contains "rclone.exe copy" or FileName == "rclone.exe" //cover rename, args and standard use of binary

//Flags for copy command (not including global flags such as auto-confirm):
     /// --absolute                Put a leading / in front of path names
    //  --combined string         Make a combined report of changes to this file
  //   --create-empty-src-dirs   Create empty source dirs on destination after copy
   //  --csv                     Output in CSV format
  //   --dest-after string       Report all files that exist on the dest post-sync
 //    --differ string           Report all non-matching files to this file
//  -d, --dir-slash               Append a slash to directory names (default true)
//      --dirs-only               Only list directories
//      --error string            Report all files with errors (hashing or reading) to this file
//      --files-only              Only list files (default true)
//  -F, --format string           Output format - see lsf help for details (default "p")
//      --hash h                  Use this hash when h is used in the format MD5|SHA-1|DropboxHash (default "md5")
//  -h, --help                    help for copy
//      --match string            Report all matching files to this file
//      --missing-on-dst string   Report all files missing from the destination to this file
//      --missing-on-src string   Report all files missing from the source to this file
//  -s, --separator string        Separator for the items in the format (default ";")
//  -t, --timeformat string       Specify a custom time format, or 'max' for max precision supported by remote (default: 2006-01-02 15:04:05)

//Flags for anything which can copy a file (flag group Copy):
//      --check-first                                 Do all the checks before starting transfers
//  -c, --checksum                                    Check for changes with size & checksum (if available, or fallback to size only)
//      --compare-dest stringArray                    Include additional server-side paths during comparison
//      --copy-dest stringArray                       Implies --compare-dest but also copies files from paths into destination
   //   --cutoff-mode HARD|SOFT|CAUTIOUS              Mode to stop transfers when reaching the max transfer limit HARD|SOFT|CAUTIOUS (default HARD)
  //   --ignore-case-sync                            Ignore case when synchronizing
   //   --ignore-checksum                             Skip post copy check of checksums
  //    --ignore-existing                             Skip all files that exist on destination
 //    --ignore-size                                 Ignore size when skipping use modtime or checksum
 // -I, --ignore-times                                Don't skip items that match size and time - transfer all unconditionally
   //   --immutable                                   Do not modify files, fail if existing files have been modified
  //    --inplace                                     Download directly to destination file instead of atomic download to temp/rename
 // -l, --links                                       Translate symlinks to/from regular files with a '.rclonelink' extension
 //    --max-backlog int                             Maximum number of objects in sync or check backlog (default 10000)
  //    --max-duration Duration                       Maximum duration rclone will transfer data for (default 0s)
    // --max-transfer SizeSuffix                     Maximum size of data to transfer (default off)
//  -M, --metadata                                    If set, preserve metadata when copying objects
 //     --modify-window Duration                      Max time diff to be considered the same (default 1ns)
 //    --multi-thread-chunk-size SizeSuffix          Chunk size for multi-thread downloads / uploads, if not set by filesystem (default 64Mi)
  //   --multi-thread-cutoff SizeSuffix              Use multi-thread downloads for files above this size (default 256Mi)
 //    --multi-thread-streams int                    Number of streams to use for multi-thread downloads (default 4)
 //     --multi-thread-write-buffer-size SizeSuffix   In memory buffer size for writing when in multi-thread mode (default 128Ki)
  //    --name-transform stringArray                  Transform paths during the copy process
 //     --no-check-dest                               Don't check the destination, copy regardless
  //    --no-traverse                                 Don't traverse destination file system on copy
 //     --no-update-dir-modtime                       Don't update directory modification times
 //     --no-update-modtime                           Don't update destination modtime if files identical
 //     --order-by string                             Instructions on how to order the transfers, e.g. 'size,descending'
  //    --partial-suffix string                       Add partial-suffix to temporary file name when --inplace is not used (default ".partial")
 //     --refresh-times                               Refresh the modtime of remote files
 //     --server-side-across-configs                  Allow server-side operations (e.g. copy) to work across different configs
 //     --size-only                                   Skip based on size only, not modtime or checksum
 //     --streaming-upload-cutoff SizeSuffix          Cutoff for switching to chunked upload if file size is unknown, upload starts after reaching cutoff or when file ends (default 100Ki)
//  -u, --update                                      Skip files that are newer on the destination

//Important flags useful for most commands (flag group Important):
//  -n, --dry-run         Do a trial run with no permanent changes
 // -i, --interactive     Enable interactive mode
//  -v, --verbose count   Print lots more stuff (repeat for more)

//Flags for filtering directory listings (flag group Filter):
//      --delete-excluded                     Delete files on dest excluded from sync
//      --exclude stringArray                 Exclude files matching pattern
//      --exclude-from stringArray            Read file exclude patterns from file (use - to read from stdin)
 //     --exclude-if-present stringArray      Exclude directories if filename is present
 //     --files-from stringArray              Read list of source-file names from file (use - to read from stdin)
 //     --files-from-raw stringArray          Read list of source-file names from file without any processing of lines (use - to read from stdin)
//  -f, --filter stringArray                  Add a file filtering rule
//      --filter-from stringArray             Read file filtering patterns from a file (use - to read from stdin)
//      --hash-filter string                  Partition filenames by hash k/n or randomly @/n
//      --ignore-case                         Ignore case in filters (case insensitive)
//      --include stringArray                 Include files matching pattern
//      --include-from stringArray            Read file include patterns from file (use - to read from stdin)
//      --max-age Duration                    Only transfer files younger than this in s or suffix ms|s|m|h|d|w|M|y (default off)
//      --max-depth int                       If set limits the recursion depth to this (default -1)
//      --max-size SizeSuffix                 Only transfer files smaller than this in KiB or suffix B|K|M|G|T|P (default off)
  //    --metadata-exclude stringArray        Exclude metadatas matching pattern
//      --metadata-exclude-from stringArray   Read metadata exclude patterns from file (use - to read from stdin)
 //     --metadata-filter stringArray         Add a metadata filtering rule
//      --metadata-filter-from stringArray    Read metadata filtering patterns from a file (use - to read from stdin)
 //    --metadata-include stringArray        Include metadatas matching pattern
 //    --metadata-include-from stringArray   Read metadata include patterns from file (use - to read from stdin)
 //     --min-age Duration                    Only transfer files older than this in s or suffix ms|s|m|h|d|w|M|y (default off)
 //     --min-size SizeSuffix                 Only transfer files bigger than this in KiB or suffix B|K|M|G|T|P (default off)

//Flags for listing directories (flag group Listing):
//      --default-time Time   Time to show if modtime is unknown for files and directories (default 2000-01-01T00:00:00Z)
 //     --fast-list           Use recursive list if available; uses more memory but fewer transactions

Explanation

This KQL (Kusto Query Language) query is designed to detect the use of the "rclone" tool within an environment, which is often used by attackers to exfiltrate data. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify instances where the "rclone" tool is used, as its presence and usage should be scrutinized due to its potential misuse for data exfiltration.

  2. Time Frame: The query looks at data from the last 90 days.

  3. Detection Criteria:

    • It checks for command lines that include specific arguments associated with "rclone" operations, such as 'copy', 'ignore-existing', and 'auto-confirm'.
    • It also looks for command lines that explicitly mention "rclone.exe copy" or where the file name is "rclone.exe". This helps in detecting both standard and potentially renamed versions of the binary.

  4. Actionable Insights:

    • The query suggests blocking the use of "rclone" both as a binary and as a cloud application by denying consent.
    • It recommends blocking access to the "rclone" website and its GitHub repository to prevent downloading or updating the tool.

  5. Additional Information: The query includes comments listing various flags and options associated with "rclone" commands, which can be useful for understanding its capabilities and potential misuse scenarios.

Overall, this query is part of a security measure to monitor and potentially block the use of "rclone" to protect against unauthorized data transfers.

Details

Jay Kerai profile picture

Jay Kerai

Released: September 7, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

letpack_arrayDeviceProcessEventswhereTimeGeneratedagohas_allorcontains==

Actions