Query Details

Rule Documentation: Detection of rclone Usage in File Events

Rcloneconfigfile

Query

DeviceFileEvents
| where FolderPath contains @"rclone\" and InitiatingProcessParentFileName != @"Install WD Discovery"

About this query

Rule Documentation: Detection of rclone Usage in File Events

Description

This detection rule identifies file events related to the usage of the rclone tool. Rclone is a legitimate command-line program used for syncing files and directories to and from various cloud storage providers. However, its usage in certain contexts may indicate potential data exfiltration or unauthorized file operations if used maliciously.

Detection Logic

  • Monitors DeviceFileEvents for events where:
    • The FolderPath contains the string "rclone", and
    • The InitiatingProcessParentFileName does not equal "Install WD Discovery".

Tags

  • File Events
  • Data Exfiltration
  • Unauthorized File Operations
  • Cloud Storage
  • rclone
  • Suspicious Activity

Search Query

Explanation

This query looks for file events that involve the use of the rclone tool, which is used for syncing files to and from cloud storage. It checks if the folder path contains "rclone" and the parent process is not "Install WD Discovery". This helps detect potential data exfiltration or unauthorized file operations.

Details

Ali Hussein profile picture

Ali Hussein

Released: May 23, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsFolderPathInitiatingProcessParentFileName

Operators

contains!=

Actions

GitHub