Rclone Use Detection
Query
let Timeframe = 2d; // Choose the best timeframe for your investigation
DeviceProcessEvents
| where TimeGenerated > ago(Timeframe)
| where ProcessVersionInfoProductName has "Rclone"
| where ProcessCommandLine contains @"rclone" or ProcessCommandLine contains @"--Launch"
| project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, ProcessCreationTime, AccountName, AccountUpn
| sort by TimeGenerated descAbout this query
Rclone use detection
Description
The following query will detect execution of the Rclone command-line program which is related to ransomware exfiltration activity.
References
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-data-exfiltration
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
Microsoft Defender XDR
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 23/05/2024 | Initial publish |
Explanation
This query is designed to detect the use of the Rclone command-line program, which is often associated with ransomware activities involving data exfiltration. Here's a simple breakdown of what the query does:
-
Timeframe: It looks at data from the past two days (2d).
-
Data Source: The query examines events related to processes on devices (
DeviceProcessEvents). -
Filter Criteria:
- It checks for processes where the product name includes "Rclone".
- It further filters these processes to those where the command line includes the term "rclone" or "--Launch".
-
Data Projection: It selects specific details about these processes, including:
- When the event was generated (
TimeGenerated). - The name of the device where the process ran (
DeviceName). - The path and name of the folder and file involved (
FolderPath,FileName). - The full command line used to run the process (
ProcessCommandLine). - When the process was created (
ProcessCreationTime). - The account name and user principal name associated with the process (
AccountName,AccountUpn).
- When the event was generated (
-
Sorting: The results are sorted by the time the event was generated, in descending order, so the most recent events appear first.
This query helps security teams identify potential malicious activity involving Rclone, aiding in the investigation of data exfiltration incidents.
Details

Michalis Michalos
Released: May 23, 2024
Tables
Keywords
Operators