KQL Search

Query Details

HomeAI ToolsDevice Query

Rclone MS Threat Report

Query

Tags:

DeviceProcessEvents | where ProcessVersionInfoProductName has "rclone" | where     ( ProcessCommandLine has_all ("rclone", "lsd", "remote:", @"ftp:", "mega", "--config", "--auto-confirm") )     or (         ProcessCommandLine has "--multi-thread-streams"     and ProcessCommandLine has_all ('copy', 'config', 'create', 'lsd', 'remote', 'mega', 'user', 'pass',         @'--config', @'--progress', @'--no-check-certificate', @'--ignore-existing', @'--auto-confirm',         @'--multi-thread-streams', @'--transfers', @'ftp:', @'remote:')     )     or (ProcessCommandLine  has @"\\")     or ( ProcessCommandLine has_all (@"max-age", @"stats-one-line", @"ignore-existing", @"drive-chunk-size",         @"transfers", @"include", @"checkers"))     or ( ProcessCommandLine has @"*.{xls,xlsx,doc,docx,pdf}") | where not (FolderPath has "chocolatey") 

References:
Microsoft Threat Intel Report titled Data exfiltration using Rclone and other data synchronization tools
https://github.com/mbabinski/Sigma-Rules/blob/2f12b713e8e51dc2c84fdf8c4c4d714999b6e382/2022_BlackCat_Ransomware/win_susp_process_blackcat_exfiltration.yml#L3

Explanation

The query is searching for DeviceProcessEvents that meet certain criteria. It looks for events where the ProcessVersionInfoProductName contains "rclone" and the ProcessCommandLine includes specific commands and parameters related to "rclone" or other file synchronization tools. It also checks for events where the ProcessCommandLine contains "\" (backslash), includes certain command line arguments related to file management, or includes specific file extensions. The query excludes events where the FolderPath contains "chocolatey". This query is referenced in a Microsoft Threat Intel Report and a GitHub repository.

Details

Ali Hussein profile picture

Ali Hussein

Released: September 12, 2023

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents,ProcessVersionInfoProductName,ProcessCommandLine,rclone,lsd,remote:,ftp:,mega,--config,--auto-confirm,--multi-thread-streams,copy,config,create,user,pass,--progress,--no-check-certificate,--ignore-existing,--transfers,drive-chunk-size,include,checkers,*.{xls,xlsx,doc,docx,pdf},\\,max-age,stats-one-line,ignore-existing,FolderPath,chocolatey

Operators

wherehashas_allorhas_anynot

Actions