Rule Documentation: Detection of rclone Usage in File Events
Rcloneconfigfile
Query
DeviceFileEvents
| where FolderPath contains @"rclone\" and InitiatingProcessParentFileName != @"Install WD Discovery"About this query
Rule Documentation: Detection of rclone Usage in File Events
Description
This detection rule identifies file events related to the usage of the rclone tool. Rclone is a legitimate command-line program used for syncing files and directories to and from various cloud storage providers. However, its usage in certain contexts may indicate potential data exfiltration or unauthorized file operations if used maliciously.
Detection Logic
- Monitors
DeviceFileEventsfor events where:- The
FolderPathcontains the string "rclone", and - The
InitiatingProcessParentFileNamedoes not equal "Install WD Discovery".
- The
Tags
- File Events
- Data Exfiltration
- Unauthorized File Operations
- Cloud Storage
- rclone
- Suspicious Activity
Search Query
Explanation
This query looks for file events that involve the use of the rclone tool, which is used for syncing files to and from cloud storage. It checks if the folder path contains "rclone" and the parent process is not "Install WD Discovery". This helps detect potential data exfiltration or unauthorized file operations.
Details

Ali Hussein
Released: May 23, 2024
Tables
DeviceFileEvents
Keywords
DeviceFileEventsFolderPathInitiatingProcessParentFileName
Operators
contains!=