Query Details
Rclone Use Detection
Query
# Rclone use detection
## Description
The following query will detect execution of the Rclone command-line program.
### References
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-data-exfiltration
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
### Microsoft Defender XDR
```
let Timeframe = 2d; // Choose the best timeframe for your investigation
DeviceProcessEvents
| where TimeGenerated > ago(Timeframe)
| where ProcessVersionInfoProductName has "Rclone"
| where ProcessCommandLine contains @"rclone" or ProcessCommandLine contains @"--Launch"
| project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, ProcessCreationTime, AccountName, AccountUpn
| sort by TimeGenerated desc
```
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ---------------------------------------|
| 1.0 | 23/05/2024 | Initial publish |
Explanation
This query detects the use of the Rclone command-line program on devices within a specified timeframe. It looks for processes with "Rclone" in the product name or containing "rclone" or "--Launch" in the command line. The results include information like device name, file path, process command line, creation time, and account details.
Details
Michalis Michalos
Released: May 23, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,Rclone,ProcessVersionInfoProductName,ProcessCommandLine,TimeGenerated,DeviceName,FolderPath,FileName,ProcessCreationTime,AccountName,AccountUpn
Operators
wherehascontainsprojectsort by